[00:35.110 --> 00:36.270]  Can you hear me?
[00:48.710 --> 00:51.090]  The slide looks a little bit like shit, but yeah.
[00:51.690 --> 00:52.690]  It is what it is.
[00:52.690 --> 00:55.110]  It is what it is, yes, unfortunately.
[00:56.570 --> 01:00.810]  Now, do I need to see you on a webcam here, or should we turn off...
[01:00.810 --> 01:03.170]  No, I have to do that, otherwise you can't stream me.
[01:03.170 --> 01:04.490]  Alright, alright, alright.
[01:07.850 --> 01:10.110]  Alright, so, and then we have...
[01:12.030 --> 01:14.030]  This there, and yeah, ok.
[01:14.030 --> 01:16.750]  Cool, ooh, look at the background, looks nice, brother.
[01:17.930 --> 01:19.370]  Man, you've been busy.
[01:19.990 --> 01:21.670]  And you've got a nice shirt on as well.
[01:21.670 --> 01:24.050]  I just put on a fucking t-shirt.
[01:24.050 --> 01:25.610]  You should have told me I could...
[01:25.610 --> 01:30.010]  I would have swapped to an RRG t-shirt here.
[01:30.010 --> 01:32.170]  Give me one second here.
[01:36.190 --> 01:37.730]  It is in the end of the slideshow.
[01:37.730 --> 01:40.730]  It's loads of crappy slides, but it shouldn't be there.
[01:42.890 --> 01:46.930]  Well, anyway, we just said goodbye anyway, so that's how it is.
[01:47.090 --> 01:48.550]  It's a part of life.
[01:49.350 --> 01:52.850]  We pushed this one a little bit too close.
[01:52.850 --> 01:53.510]  Dude.
[01:54.250 --> 01:56.490]  Yeah, so just so you know, we are...
[01:57.170 --> 02:01.090]  I'm streaming, but I don't think the event has started, so I don't think...
[02:01.090 --> 02:03.210]  I don't see anything live yet.
[02:03.310 --> 02:06.730]  Alright, because that's not live until 4 minutes 20 seconds, that's why.
[02:06.730 --> 02:08.130]  Yeah, yeah, yeah.
[02:17.760 --> 02:19.820]  Do-do-do-do.
[02:20.640 --> 02:24.540]  Na-na-na-na-na-na-na-na-na-na.
[02:32.240 --> 02:36.740]  Do-do-do-do-do-do-do-do-do-do.
[02:37.960 --> 02:42.620]  So we got the Zero Day Initiative up and running.
[02:42.620 --> 02:43.480]  Yep.
[02:45.060 --> 02:46.220]  Yeah.
[02:46.220 --> 02:49.540]  So basically after we new tools, it's demo time.
[02:49.540 --> 02:54.100]  Or how did you say? I think that's where we're going to squeeze it in.
[02:55.700 --> 02:58.920]  Because when we talked about everything, and then we just want to show it off.
[02:58.920 --> 02:59.840]  Pretty much.
[03:00.220 --> 03:04.720]  We show off standalone things first, I guess, and then we do Zero Day after that.
[03:04.720 --> 03:06.520]  And then we do Q&A.
[03:07.180 --> 03:09.420]  And if you want to have that in...
[03:09.420 --> 03:13.580]  I'm going to have Discord up and stuff like that, so I can see if there are...
[03:13.580 --> 03:17.940]  You know, if they keep track of any questions or stuff like that.
[03:17.940 --> 03:18.660]  I don't think so.
[03:18.660 --> 03:22.100]  What contact info do you want to use?
[03:23.200 --> 03:27.900]  Make Iceman at iuses.sc or something like that.
[03:28.060 --> 03:29.700]  iuseskill or something.
[03:29.860 --> 03:31.980]  Usually this one goes well.
[03:36.300 --> 03:38.440]  Yeah, that one works.
[03:39.020 --> 03:40.260]  Keybase.
[03:42.760 --> 03:43.840]  Bye.
[03:44.730 --> 03:45.820]  See ya.
[03:57.330 --> 03:59.390]  And I need to...
[03:59.390 --> 04:00.970]  take that one.
[04:01.410 --> 04:02.070]  Iceman.
[04:02.070 --> 04:02.830]  Ha!
[04:02.830 --> 04:04.410]  The Penguin, yay!
[04:04.890 --> 04:07.790]  I think they are listening in to us already, that's why.
[04:07.950 --> 04:09.250]  Oh, that's possible.
[04:09.390 --> 04:10.950]  That's possible, okay.
[04:11.070 --> 04:13.690]  Let's keep this one clean then.
[04:14.770 --> 04:17.730]  I mean, I don't know.
[04:17.730 --> 04:19.310]  I don't know if anyone can hear us.
[04:19.310 --> 04:21.590]  No one has been saying anything else.
[04:21.590 --> 04:22.210]  Yay!
[04:22.930 --> 04:23.890]  Yay!
[04:25.970 --> 04:28.930]  Turks, this should be...
[04:44.720 --> 04:48.000]  Alright, I take away Keybase.
[04:48.000 --> 04:50.660]  And I'm looking here on Turks.
[04:57.500 --> 05:00.180]  Yeah, you're live and visible.
[05:00.180 --> 05:01.540]  Alright, nice.
[05:01.540 --> 05:03.060]  Oh, okay.
[05:03.080 --> 05:03.760]  Cool.
[05:03.760 --> 05:05.660]  I've been doing this the whole time.
[05:07.340 --> 05:09.060]  I don't see it on YouTube.
[05:09.060 --> 05:10.300]  Ah, right.
[05:10.300 --> 05:11.240]  I don't either.
[05:11.240 --> 05:12.400]  That's probably for the best.
[05:12.400 --> 05:13.580]  I'll save the bandwidth.
[05:15.820 --> 05:18.400]  No, I meant I'm on the YouTube channel.
[05:18.400 --> 05:20.180]  I didn't see it there on that one.
[05:20.180 --> 05:22.000]  Oh, you can or can't see it?
[05:22.000 --> 05:22.760]  I can't see it.
[05:22.760 --> 05:24.900]  It's just RFHS logo.
[05:24.900 --> 05:25.580]  Okay.
[05:25.580 --> 05:27.160]  But it's live?
[05:27.160 --> 05:28.400]  Are we sure it's live?
[05:28.560 --> 05:32.000]  Yes, Zerus just said it on Discord.
[05:32.000 --> 05:33.880]  But we are both live and visible.
[05:33.880 --> 05:35.400]  So, hello.
[05:35.980 --> 05:37.480]  Hello, everyone.
[05:37.520 --> 05:38.140]  Yeah.
[05:38.260 --> 05:39.220]  Let's see.
[05:39.220 --> 05:40.720]  Let's double check.
[05:41.120 --> 05:44.200]  This is very odd now because now I'm confused.
[05:44.420 --> 05:46.680]  I gotta say, I'm looking...
[05:48.400 --> 05:50.800]  I'm looking at the YouTube link.
[05:50.800 --> 05:52.800]  It doesn't look live.
[05:53.500 --> 05:54.280]  Yeah, exactly.
[05:54.280 --> 05:57.780]  I'm on YouTube link and it doesn't look live.
[05:59.160 --> 06:00.960]  Let's check in with Zero.
[06:00.960 --> 06:03.720]  I don't want to start until we're sure we're good to go.
[06:04.200 --> 06:05.040]  We don't...
[06:06.340 --> 06:12.120]  If anyone can see us and hear us, thank you for standing by as a result.
[06:12.120 --> 06:14.240]  Potential technical difficulties.
[06:16.420 --> 06:19.180]  Yeah, because we don't know how this stuff works.
[06:22.280 --> 06:23.960]  All right.
[06:25.280 --> 06:26.400]  Okay.
[06:27.400 --> 06:28.720]  Maybe I should do that privately.
[06:28.720 --> 06:29.280]  Okay.
[06:32.140 --> 06:32.540]  So...
[06:33.240 --> 06:35.120]  Am I on the wrong YouTube channel?
[06:35.120 --> 06:36.980]  No, it can't be. It should be this one.
[06:38.120 --> 06:40.760]  It says 27 is waiting.
[06:41.400 --> 06:42.740]  Yeah, it does say waiting.
[06:43.140 --> 06:43.920]  Yeah.
[06:43.940 --> 06:45.700]  See, I don't think the stream has started.
[06:45.700 --> 06:47.660]  I think we need to click something in YouTube.
[06:48.140 --> 06:49.420]  Yeah, I think we need to...
[06:49.420 --> 06:52.120]  You have to enable it in YouTube.
[06:52.120 --> 06:56.100]  I think that's what Wasabi should do.
[06:56.100 --> 06:57.840]  If you, Zero, hear this...
[06:57.840 --> 06:59.600]  I wonder if the stream is still private.
[06:59.600 --> 07:03.680]  Wasabi set the stream to private, so it needs to be set un-private if that's the case.
[07:03.940 --> 07:05.160]  Yeah, yeah, yeah, yeah.
[07:07.540 --> 07:09.740]  Well, if they see us, maybe...
[07:09.740 --> 07:10.660]  I don't know.
[07:11.260 --> 07:12.520]  I have no idea.
[07:22.970 --> 07:23.730]  Boom.
[07:24.810 --> 07:28.810]  All right, let's see in the chat if someone can tell us if you actually see us here.
[07:28.810 --> 07:32.290]  And I mean in the YouTube chat, because we can't see ourselves on YouTube.
[07:32.290 --> 07:33.250]  That's why.
[07:35.210 --> 07:36.010]  I don't know.
[07:38.430 --> 07:41.710]  How about now? It's marked public now. Okay, let's see.
[07:41.710 --> 07:44.270]  All right, let's see if it kicks over.
[07:45.430 --> 07:48.010]  I'm refreshing it, and it says, waiting for...
[07:49.270 --> 07:51.270]  It might be on a delay.
[07:52.590 --> 07:54.030]  Yeah, maybe.
[07:54.170 --> 07:56.130]  So don't say anything stupid yet.
[07:56.510 --> 07:58.590]  Because it might be buffered.
[07:59.030 --> 07:59.910]  Oh.
[08:02.530 --> 08:03.870]  Oh my.
[08:05.450 --> 08:09.170]  So where's the live stream exactly? People are asking where it is.
[08:09.170 --> 08:11.470]  Yeah, I am curious as well.
[08:11.470 --> 08:12.150]  Yeah.
[08:18.080 --> 08:18.720]  So...
[08:18.720 --> 08:22.880]  It's marked private. You have to navigate straight to the live link.
[08:22.880 --> 08:24.000]  All right.
[08:25.840 --> 08:30.340]  Mine says, waiting for...
[08:31.940 --> 08:32.340]  Rfhf...
[08:33.360 --> 08:33.760]  Rfhacker...
[08:33.760 --> 08:36.520]  So here's...
[08:36.520 --> 08:38.440]  Oh, here's a different link. Ah, shit.
[08:38.600 --> 08:39.660]  Oh, look at that.
[08:39.840 --> 08:40.240]  Yeah.
[08:40.240 --> 08:41.400]  They gave us the wrong link.
[08:41.400 --> 08:43.360]  People have been watching this whole time.
[08:45.860 --> 08:48.720]  So that means people have the wrong link.
[08:48.720 --> 08:50.400]  We need to get the correct link.
[08:50.400 --> 08:51.220]  Yeah, okay.
[08:52.360 --> 08:55.040]  So I'm going to change back to the other one.
[08:57.500 --> 08:58.300]  And then...
[08:58.300 --> 08:59.240]  Oh man.
[08:59.240 --> 09:00.540]  That sucks.
[09:02.840 --> 09:03.740]  You can go...
[09:03.740 --> 09:04.720]  It's public now.
[09:04.720 --> 09:05.860]  Yeah, yeah, okay.
[09:06.060 --> 09:08.740]  The new link works.
[09:09.820 --> 09:12.520]  The one YouTube suggests.
[09:20.200 --> 09:26.040]  All right, let's go into this chat here and just...
[09:26.040 --> 09:27.520]  Here we go.
[09:27.780 --> 09:28.580]  This one, yeah?
[09:28.580 --> 09:31.060]  Let's go into this chat here and...
[09:31.060 --> 09:32.240]  No, this one.
[09:33.080 --> 09:34.440]  No, this one.
[09:37.080 --> 09:39.080]  Can I delete this one? No, I can't.
[09:39.080 --> 09:40.580]  Ah, well, the last one.
[09:44.030 --> 09:45.510]  All right, I don't know.
[09:46.030 --> 09:47.770]  So, Ferdy's waiting there.
[09:48.050 --> 09:48.930]  And, yeah.
[09:49.410 --> 09:50.650]  Eight is watching.
[09:50.650 --> 09:52.950]  Those eight who's here, hi, it's public.
[09:53.430 --> 09:53.870]  So...
[09:53.870 --> 09:54.670]  Yeah.
[09:54.690 --> 09:56.770]  But the problem is the talk description...
[09:57.490 --> 09:58.550]  Oh, come on.
[09:58.550 --> 09:59.650]  It's the other link.
[09:59.650 --> 10:01.670]  The other link needs to be set live.
[10:02.130 --> 10:03.030]  Yeah, but I will...
[10:03.030 --> 10:05.390]  Or I was given the wrong key.
[10:05.390 --> 10:07.750]  Or I was given the wrong stream key.
[10:08.170 --> 10:08.830]  I have no idea.
[10:08.830 --> 10:13.870]  But this one does not have a stream description or anything like that.
[10:13.870 --> 10:15.730]  So it looks like you have a new link.
[10:17.030 --> 10:17.930]  All right, yeah.
[10:17.930 --> 10:19.490]  So, sorry about that.
[10:19.490 --> 10:20.670]  It says Ferdy waiting.
[10:20.670 --> 10:22.270]  No, we need to...
[10:22.270 --> 10:24.590]  Yeah, those Ferdy there is going to be...
[10:24.590 --> 10:25.290]  Yeah.
[10:25.290 --> 10:26.830]  Because that's the correct link.
[10:26.830 --> 10:30.730]  I was either given the wrong stream key or something needs to be adjusted.
[10:33.470 --> 10:38.550]  For those who are watching this on the other stream, our apologies.
[10:38.550 --> 10:41.410]  We're trying to figure out exactly what's going on.
[10:41.410 --> 10:43.130]  Because we have people in two places.
[10:44.730 --> 10:46.590]  Sorry about that, sirs.
[10:49.210 --> 10:50.590]  And y'all.
[10:55.200 --> 10:56.460]  DefconInfoBooth has that link.
[10:56.460 --> 10:57.520]  We are working on it.
[10:57.520 --> 10:58.100]  All right.
[10:58.100 --> 10:59.360]  Here is Filip.
[10:59.600 --> 11:00.700]  All right.
[11:05.220 --> 11:06.960]  So he is there.
[11:08.620 --> 11:09.340]  All right.
[11:09.920 --> 11:11.280]  Yeah, all right.
[11:15.640 --> 11:16.600]  Yeah.
[11:16.940 --> 11:18.420]  All right, yeah.
[11:20.060 --> 11:21.660]  All right, that's sad.
[11:21.660 --> 11:23.740]  All right, see if we can get people in here.
[11:24.140 --> 11:25.340]  Okay, 15 watching.
[11:25.340 --> 11:27.340]  So everybody who is watching, say hi.
[11:30.100 --> 11:38.480]  Well, Iceman, the problem at the moment is I'm seeing the waiting count for the actual talk link go up.
[11:38.480 --> 11:39.740]  So people are still going to be...
[11:39.740 --> 11:39.760]  Yeah, I agree.
[11:39.760 --> 11:41.260]  So that needs to be resolved.
[11:41.260 --> 11:42.360]  Like, I can't...
[11:42.360 --> 11:43.100]  Yeah.
[11:43.100 --> 11:47.560]  If we just switch, people are going to miss the information.
[11:47.820 --> 11:49.600]  Yeah, a little bit upset about it as well.
[11:49.600 --> 11:51.940]  It's 32 waiting now.
[11:52.300 --> 11:52.640]  So...
[11:52.640 --> 11:52.960]  Yeah.
[11:52.960 --> 11:54.820]  I posted in the chat there.
[11:57.360 --> 11:58.940]  We're so sorry for this.
[12:00.200 --> 12:01.500]  Can you repost that link?
[12:01.500 --> 12:02.340]  All right, let's go...
[12:04.360 --> 12:05.500]  This one.
[12:05.840 --> 12:06.680]  Here you go.
[12:07.880 --> 12:09.560]  Can you post links?
[12:10.240 --> 12:11.920]  Yeah, I just did.
[12:11.920 --> 12:13.120]  No, they're being filtered.
[12:13.120 --> 12:14.680]  They're filtered out of our freaking chat.
[12:14.680 --> 12:15.540]  Thank you, YouTube.
[12:16.680 --> 12:17.200]  All right.
[12:17.200 --> 12:18.400]  You can't see it?
[12:18.400 --> 12:19.460]  No, I can't.
[12:19.460 --> 12:19.960]  I can't.
[12:19.960 --> 12:21.560]  I tried to paste it as well.
[12:22.100 --> 12:23.160]  Okay, okay.
[12:23.160 --> 12:23.860]  Shit.
[12:24.400 --> 12:25.100]  Okay.
[12:27.340 --> 12:29.100]  All right, all right, all right.
[12:29.560 --> 12:31.340]  So, if you go to my Twitter...
[12:32.160 --> 12:32.940]  What?
[12:34.140 --> 12:35.940]  I posted there.
[12:36.680 --> 12:38.660]  So, I'm going to do this.
[12:38.960 --> 12:40.360]  Is this something...
[12:41.840 --> 12:43.600]  Are you talking to Zero?
[12:43.860 --> 12:47.880]  Is this something they can resolve by giving us the correct stream key or something?
[12:48.040 --> 12:50.040]  I have no idea right now.
[12:50.160 --> 12:51.500]  Let's do this.
[12:51.500 --> 12:54.920]  And I'm going to see if I have him on Discord.
[12:55.580 --> 12:56.380]  All right.
[12:56.380 --> 12:58.100]  Both links works for Zero.
[12:58.100 --> 12:59.640]  He can see us on both.
[13:00.640 --> 13:01.800]  What do you want me to solve?
[13:01.800 --> 13:02.620]  Both links for me?
[13:02.620 --> 13:02.980]  Okay.
[13:02.980 --> 13:04.860]  Because only one link works for me.
[13:04.860 --> 13:07.860]  It's the last link you gave to me is working for me.
[13:07.860 --> 13:09.640]  The G-H-I.
[13:09.760 --> 13:12.820]  And the previous one with the stream description doesn't work.
[13:12.820 --> 13:17.480]  So, that one looks like it's private or...
[13:17.480 --> 13:18.680]  Yeah, so I...
[13:19.820 --> 13:20.780]  Okay.
[13:21.180 --> 13:24.360]  Because you are probably allowed.
[13:25.500 --> 13:26.700]  Yeah.
[13:27.120 --> 13:28.320]  Yeah.
[13:32.440 --> 13:34.780]  Okay, because we are chatting on the...
[13:35.440 --> 13:37.940]  Yeah, he's posted there now.
[13:42.180 --> 13:43.380]  Last link...
[13:43.380 --> 13:44.420]  Works.
[13:49.710 --> 13:50.310]  And...
[13:54.520 --> 13:56.240]  All right.
[13:56.500 --> 13:57.640]  How do I write the URL?
[13:57.640 --> 13:59.160]  Ah, the deviant is here.
[13:59.160 --> 14:00.220]  Mark is there.
[14:00.220 --> 14:02.480]  And Rick is there.
[14:07.460 --> 14:12.220]  And people to join the last link.
[14:13.960 --> 14:14.820]  All right.
[14:14.820 --> 14:18.780]  So, I don't know how they are able to resolve this anyway, so...
[14:29.800 --> 14:31.860]  All right, we're working on it.
[14:31.860 --> 14:33.420]  So, I texted Wasabi.
[14:33.420 --> 14:36.840]  I texted Zero in Discord.
[14:39.820 --> 14:43.380]  All right, it's like really far back lagging, so...
[14:43.380 --> 14:46.260]  Oh, wow, I'm not going to listen to myself on that stream.
[14:47.080 --> 14:47.940]  Oh, just mute it.
[14:47.940 --> 14:49.180]  Yeah, don't listen to yourself.
[14:49.180 --> 14:49.440]  Come on.
[14:49.440 --> 14:51.740]  Yeah, I'm not going to listen to myself.
[14:52.380 --> 14:53.360]  Oh, man.
[14:53.720 --> 14:54.360]  Come on.
[14:54.360 --> 14:56.120]  Okay, so the first link doesn't work.
[14:56.120 --> 14:57.380]  I'm so sorry for that.
[15:01.880 --> 15:03.460]  All right, so...
[15:03.460 --> 15:05.240]  Now it's 30 waiting, so...
[15:05.240 --> 15:08.860]  All right.
[15:08.860 --> 15:09.380]  Yeah.
[15:10.300 --> 15:12.920]  You want to have some girl from Ipanema?
[15:16.760 --> 15:25.480]  A little bit of Las Vegas elevator music, but, you know, it gives that vibe.
[15:25.480 --> 15:26.920]  Yeah, yeah.
[15:28.600 --> 15:29.120]  So...
[15:30.400 --> 15:32.480]  This seems silly.
[15:33.280 --> 15:34.120]  All right, so here's...
[15:34.480 --> 15:36.400]  I think here's going to be our plan.
[15:36.400 --> 15:43.620]  I will instruct people to click on the RFHS account to move over.
[15:43.620 --> 15:44.100]  Oh, yeah.
[15:44.520 --> 15:45.600]  Yeah, do that.
[15:45.600 --> 15:47.600]  I don't know if people are monitoring the chat.
[15:47.600 --> 15:48.840]  This is the problem.
[15:49.660 --> 15:50.420]  Yes.
[15:50.420 --> 15:51.380]  This is really...
[15:51.380 --> 15:55.600]  But I posted on Twitter and Discord, and so...
[15:55.600 --> 15:56.460]  Yeah.
[15:57.560 --> 15:58.500]  Yes.
[15:58.500 --> 16:00.440]  And other people have done that as well, so...
[16:02.880 --> 16:03.720]  Yeah.
[16:03.720 --> 16:05.680]  All right, let me type out a message here.
[16:05.680 --> 16:07.120]  Yeah, do it.
[16:08.560 --> 16:10.620]  Do that, do that, do that, do that.
[16:10.620 --> 16:11.500]  I'm going to do this.
[16:11.500 --> 16:12.400]  I'm going to do that.
[16:12.640 --> 16:14.760]  Oh, Zero says he just did something.
[16:14.760 --> 16:16.100]  Let's see if something changes.
[16:16.680 --> 16:17.740]  Fingers crossed.
[16:23.980 --> 16:25.560]  Well, maybe not.
[16:25.560 --> 16:27.320]  I'm going to keep typing instructions.
[16:29.340 --> 16:31.260]  Well, I don't see anything on that stream anymore.
[16:31.260 --> 16:31.860]  No, I don't either.
[16:31.920 --> 16:33.900]  I reloaded that one, and so...
[16:33.900 --> 16:34.380]  Yeah.
[16:35.780 --> 16:38.820]  29 waiting, so now I don't know if people have sent us...
[16:38.820 --> 16:40.360]  It happened to me before.
[16:40.360 --> 16:43.140]  You come in somewhere and don't get it.
[16:43.300 --> 16:44.520]  We're wasting time.
[16:44.520 --> 16:46.220]  It's 10 minutes into this.
[16:46.220 --> 16:47.080]  Well, we got this.
[16:47.080 --> 16:48.060]  It's fine.
[16:48.360 --> 16:50.780]  All right, so we've got 35 watching, at least.
[16:57.000 --> 16:57.920]  Ah.
[17:00.400 --> 17:02.160]  Tuta Denan.
[17:02.280 --> 17:04.220]  Carhackers Deluxe.
[17:07.000 --> 17:07.800]  Okay.
[17:07.800 --> 17:14.160]  I think if America's in them, it seems like those people, it works for them.
[17:14.160 --> 17:17.080]  I'm in the US. I don't see it.
[17:17.180 --> 17:18.640]  Ah, yeah, you're...
[17:24.340 --> 17:26.740]  Yeah. All right.
[17:33.010 --> 17:33.930]  All right.
[17:33.930 --> 17:36.090]  All right. Right, right, right.
[17:43.120 --> 17:44.740]  All right.
[17:44.740 --> 17:51.840]  So I'm going to give it 30 more seconds for people to hopefully see that message.
[17:53.700 --> 17:55.140]  Fingers crossed.
[17:58.720 --> 18:00.080]  Yep, yep, yep.
[18:00.360 --> 18:01.580]  Fingers crossed.
[18:02.660 --> 18:03.940]  Fingers crossed.
[18:14.460 --> 18:15.840]  Oh, yeah. Let's see.
[18:17.940 --> 18:18.900]  All right.
[18:18.920 --> 18:21.300]  So it's 30 still waiting on this one here.
[18:21.300 --> 18:24.060]  Well, so Wasabi did not have the link...
[18:24.060 --> 18:27.900]  Sorry, Xero did not have the link that Wasabi gave me, so I just forwarded him that.
[18:28.480 --> 18:29.160]  All right.
[18:30.660 --> 18:31.460]  Yay.
[18:32.800 --> 18:34.440]  So people's coming here, yeah.
[18:34.440 --> 18:36.300]  All right, so we're up in 44 here, so...
[18:38.280 --> 18:41.120]  Yep. So at least some people are moving over.
[18:41.520 --> 18:44.440]  Yeah, all right. So Olem is here. 25 is waiting there, so...
[18:46.840 --> 18:48.940]  The links doesn't appear in the chat, no.
[18:49.560 --> 18:51.200]  No, it's filtered.
[18:51.200 --> 18:52.600]  So people aren't...
[18:53.200 --> 18:54.060]  Yeah.
[18:54.160 --> 18:56.280]  ...sending malicious links to each other.
[18:56.640 --> 18:59.560]  Yeah, exactly. Makes sense.
[19:04.120 --> 19:08.840]  It's almost like an online gaming. It's like, yeah, so are we going live now?
[19:20.680 --> 19:22.400]  Yeah, exactly.
[19:23.320 --> 19:25.380]  So, success.
[19:26.600 --> 19:28.560]  All right, all right, all right, all right.
[19:30.540 --> 19:34.220]  Haha, never took Babak as a standing desk student.
[19:35.160 --> 19:36.180]  Hey.
[19:36.720 --> 19:37.820]  Chris-man.
[19:38.760 --> 19:40.240]  Deviant-man.
[19:44.810 --> 19:46.270]  Yeah, Olem has the...
[19:47.190 --> 19:50.570]  Deviant has the power to make everybody follow.
[19:52.450 --> 19:54.650]  All right, so let's go ahead and kick it off.
[19:54.650 --> 19:56.230]  We did the best we could.
[19:58.530 --> 19:59.050]  And...
[20:09.320 --> 20:11.540]  Yep, yep.
[20:24.520 --> 20:25.880]  All right.
[20:29.020 --> 20:31.500]  So that's fully live.
[20:35.430 --> 20:46.390]  Okay, well, let's go ahead and get started. First of all, thank you everyone for your patience as we worked our way through these problems.
[20:46.390 --> 20:54.030]  This is definitely my first YouTube live stream, so always fun to learn that way.
[20:54.150 --> 21:01.350]  And apparently for the DEF CON Safe Mode Villages, we had some new learning experience as well, so no worries there.
[21:03.010 --> 21:07.790]  And I'm just going to set up the final setting for the slideshow and we'll kick that off.
[21:14.630 --> 21:26.890]  Yep, yeah. That would be an interesting conflict right now because the slides you're going to present is not going to be showing to me if I don't look at the live stream.
[21:26.910 --> 21:29.230]  No, you can look at it in the Jitsi.
[21:29.370 --> 21:33.230]  Ah, yeah, there it is. Perfect. You got the word there for it.
[21:33.230 --> 21:35.350]  Yeah, I know, I know, I know.
[21:35.770 --> 21:37.050]  Don't do that.
[21:37.110 --> 21:37.490]  I know.
[21:37.490 --> 21:39.490]  All right, all right.
[21:39.490 --> 21:45.130]  Thank you again, everyone. We are going to do our best to see how this goes.
[21:45.610 --> 21:48.570]  So we did a couple things.
[21:48.570 --> 21:53.530]  So as you all know, the best thing that you can do if you're a DEF CON talk is have a live demo.
[21:54.430 --> 21:59.530]  Because, you know, the demo gods always smile down upon you when you do stuff like that.
[21:59.530 --> 22:04.590]  So I was talking to Iceman over the past couple weeks and I said, let's not just do one demo.
[22:04.590 --> 22:06.950]  Let's do a crap ton of demos.
[22:06.950 --> 22:16.310]  So I have a wide variety of demos that I've been working 18 hours a day, getting all prepped for the last couple days to fit all this in.
[22:16.310 --> 22:19.270]  We're going to see how it goes. I'm not sure yet.
[22:19.270 --> 22:22.770]  The slides are also acceptable, but not great.
[22:22.770 --> 22:28.570]  So I want to appreciate everyone's, you know, understanding as we do a lot of firsts here.
[22:28.570 --> 22:32.170]  So without further ado, this is Ghosting the Paxman.
[22:32.170 --> 22:38.990]  And we're focusing on new tools and techniques for 2020 related to physical access control systems.
[22:39.130 --> 22:43.430]  To bring everyone up to speed, I am going to start the talk off with a little bit of context.
[22:43.430 --> 22:47.490]  So don't worry, it will get technical further towards the end.
[22:47.490 --> 22:49.970]  But let's go ahead and get started.
[22:50.230 --> 22:54.110]  So we have two people with us, including myself.
[22:54.110 --> 23:03.790]  So I'm Bhavik Jivadi. I'm a professional penetration tester and, you know, log picker, hardware hacker.
[23:03.790 --> 23:08.210]  Been instructing Cobra Methods of Entry for over 10 years.
[23:08.350 --> 23:13.210]  I'm a founder and partner at the Core Group, a consulting and research firm.
[23:13.210 --> 23:20.370]  Also a founding partner at the Red Team Alliance, a premier Red Team training firm as well.
[23:20.370 --> 23:29.110]  And I spent a lot of years, especially my earlier years in the scene, developing and building up the lockpicking community with Tool.
[23:29.170 --> 23:36.530]  So if any of you have ever visited the lockpicking village over the past years, you will have possibly seen me
[23:36.530 --> 23:40.670]  or seen some of the projects that I've been working on in the past.
[23:40.970 --> 23:46.910]  Deviant, big shout out to Deviant for all of his help, helping with some of the last minute slides.
[23:46.910 --> 23:51.310]  I see his comment there in the chat.
[23:51.970 --> 23:57.410]  Iceman is also here calling in remotely, just so everyone knows we're doing a really crazy thing
[23:57.410 --> 24:03.290]  where I have a Jitsi video stream with Iceman that's coming to me from Sweden.
[24:03.290 --> 24:08.850]  So we have Sweden to Phoenix, Arizona, and then we have from Phoenix out to YouTube again.
[24:08.850 --> 24:12.590]  So we got some fun traffic bouncing going on here.
[24:12.590 --> 24:15.090]  Iceman, do you want to talk a little bit about yourself?
[24:15.090 --> 24:19.590]  Well, yeah, sure. First of all, yeah, most excited to be here.
[24:19.590 --> 24:22.530]  And thank you for being able to do this today.
[24:22.530 --> 24:28.190]  And the technical uphill was a little bit more than I expected, but yeah, that's how it is.
[24:28.190 --> 24:31.570]  And it's a heatwave also in my country, in Europe right now.
[24:31.570 --> 24:36.950]  So yeah, I'm sweating. If you see me pounding, it's not just me being normally talkative.
[24:36.950 --> 24:39.470]  It's just, it's warm. It's really warm.
[24:39.610 --> 24:44.290]  Anyway, I'm Iceman. And most of you know me and have seen my Iceman channel
[24:44.290 --> 24:47.990]  and have seen me on Proxmog freely.
[24:48.050 --> 24:55.550]  So I'm an administrator, maintainer, developer, and you can call me an evangelist of Proxmog nowadays.
[24:55.550 --> 25:00.790]  I've been into that since 2013, and I've been lucky to learn this way
[25:00.790 --> 25:09.030]  and being able to meet people and talk to people and learn even more and to become the person I am today.
[25:09.030 --> 25:13.290]  But before that, and during that, and I'm not just spending all my time on this,
[25:13.290 --> 25:17.750]  is that I'm actually a certified MCPD Enterprise Architect in .NET development.
[25:17.770 --> 25:24.510]  And I've been running my own company since 2006, trying to do consultancy and stuff like that.
[25:24.510 --> 25:28.230]  And I like Proxmog more. I have more fun with that.
[25:28.870 --> 25:33.530]  And that led to something called ROG, where I co-founded it two and a half, three years ago,
[25:33.530 --> 25:42.870]  where we ended up with actually making something what you all know as a Rv4, where you all can see my little name on it.
[25:42.870 --> 25:47.770]  And that's me. I don't think you need any more introductions for me, because everybody knows who I am, usually.
[25:48.390 --> 25:51.010]  When it comes to Proxmogs, everybody knows who I am.
[25:51.010 --> 25:51.890]  That's true.
[25:52.250 --> 25:56.650]  And everybody who's new, I'm kind of okay with Proxmogs. All right?
[25:57.850 --> 26:05.170]  So, we have, like I said, we're going to provide everyone some brief overall context regarding access control.
[26:05.170 --> 26:11.270]  We're not going to dive too deep into traditional topics like cloning cards and stuff like that.
[26:11.270 --> 26:17.610]  But I do want to give everyone a nice holistic picture of what a physical access control actually looks like.
[26:17.610 --> 26:22.990]  Because as I try to remind people, when we talk about RFID as it relates to access control,
[26:22.990 --> 26:27.550]  RFID is just the very, very tip of the access control iceberg.
[26:28.110 --> 26:29.770]  It's easy to forget about that.
[26:29.770 --> 26:31.110]  Yes. Yes.
[26:32.030 --> 26:37.030]  So, what we're talking about with access control is normally this.
[26:37.110 --> 26:41.110]  So, this is what most people think of when they think of access control.
[26:41.110 --> 26:45.330]  They think of a door with a reader next to it, and they present a card of some kind.
[26:45.330 --> 26:49.890]  And I know the video is glitching. I apologize for that. We'll just move past it.
[26:50.530 --> 26:54.970]  You present a card of some kind, and you just pull open the door. Right? Simple as that.
[26:56.610 --> 27:02.850]  Oftentimes, there has to be a connector between the physical world and the electronic world.
[27:02.850 --> 27:10.550]  And when it comes to access control, that's usually in the form of an electrified strike or a magnetic lock.
[27:10.550 --> 27:14.150]  You might have seen a lot of mag locks around different doors in different facilities.
[27:14.150 --> 27:26.030]  There are also built-in handsets that have integrated electromechanical components that work all in a self-contained unit.
[27:26.030 --> 27:29.390]  So, you might not see an electric strike. You might not see a mag lock.
[27:29.390 --> 27:33.550]  But it still might be an electronically controlled door.
[27:34.270 --> 27:37.790]  What's happening here, and again, I want to emphasize this.
[27:37.790 --> 27:43.710]  In a lot of the analogies and examples that I use, we are intentionally very, very general.
[27:43.710 --> 27:47.330]  So, we're going to intentionally dumb it down considerably.
[27:47.330 --> 27:49.290]  This is not to insult your intelligence.
[27:49.370 --> 27:57.430]  It's to make sure that we're focusing on the actual concept and not let people get too lost in the finer details.
[27:57.510 --> 28:03.950]  So, generally speaking, these magnetic locks, these electrified strikes, there's a power source of some kind.
[28:03.950 --> 28:06.670]  So, there's a transformer of some kind powering it.
[28:06.670 --> 28:09.590]  Or, if power is out, there's a backup battery.
[28:09.610 --> 28:13.150]  But, of course, it's not just connected directly to a power source.
[28:13.150 --> 28:15.970]  Ultimately, it's connected to a door controller.
[28:15.970 --> 28:23.010]  The door controller is generally an embedded device of some kind, often runs on Linux, but not always,
[28:23.010 --> 28:30.910]  that has a series of power supplies, relays, and other microcontrollers to take in multiple inputs
[28:30.910 --> 28:36.830]  and make logical decisions based off of that, and then control certain outputs.
[28:37.450 --> 28:41.310]  So, credentials come in, and then something happens on the output.
[28:41.310 --> 28:46.810]  So, whether you have a prox card or a mag stripe or a weekend swipe card, which we'll talk about in a moment,
[28:46.810 --> 28:51.450]  those are all different types of inputs as far as the credential data is concerned.
[28:51.570 --> 28:59.370]  So, in terms of credentials, we are talking about a card, like something you have, or a pin, which is something you know.
[28:59.370 --> 29:06.150]  Or, in the case of biometrics, like a fingerprint or iris scan, facial recognition, what have you, something you are.
[29:06.210 --> 29:10.850]  But, ultimately, as we mentioned, it's just a panel making decisions based off of inputs.
[29:10.850 --> 29:19.610]  So, here is an example of one of the most common types of inputs that people might see.
[29:19.610 --> 29:24.590]  People have probably seen how to bypass doors using a can of air.
[29:24.590 --> 29:27.670]  Well, here's another kind of input that that relates to.
[29:27.670 --> 29:33.710]  So, here's our access control system, and we have a couple of players here.
[29:33.710 --> 29:41.030]  And imagine that the bellman here is a door stripe, so an electrified stripe.
[29:41.030 --> 29:46.570]  Then we have our manager, our door controller, and then we have, sorry, not our card reader.
[29:46.570 --> 29:50.570]  We have a REX motion sensor, which we'll see a photo of shortly.
[29:50.670 --> 29:55.710]  So, whenever that motion sensor activates, depending on how the door controller is configured,
[29:56.310 --> 30:00.770]  that door controller is going to make a decision saying, hey, I should let that person out.
[30:00.770 --> 30:02.550]  Let's go ahead and open up that door.
[30:02.550 --> 30:05.990]  And this is something that, again, a lot of folks are going to be already familiar with,
[30:05.990 --> 30:09.350]  because these REX sensors are very, very easy to fool.
[30:09.410 --> 30:12.530]  So, here we have a double door.
[30:13.390 --> 30:26.430]  Someone's on the locked side, and they're just going to use a burst of air to trick that REX sensor into seeing a motion
[30:26.430 --> 30:28.250]  and then allowing you to open the door.
[30:28.250 --> 30:31.670]  And I'm seeing that some of the videos are not playing correctly in PowerPoint.
[30:31.670 --> 30:37.750]  I apologize for that, but we'll just kind of move past it and see if the next one does any better.
[30:37.750 --> 30:39.570]  So, we'll try again.
[30:39.670 --> 30:46.670]  So, here is a different lab, and we were showing one of my friends how this process works.
[30:46.690 --> 30:51.730]  And so, what he's going to try to do is, oh man, jumping all over the place.
[30:51.730 --> 30:58.710]  He's going to try to take that canned air, turn it upside down, insert it between the doors, and trip that motion sensor.
[30:58.710 --> 31:03.570]  Oh man, okay. Videos are bad for live streaming. That's what I'm learning.
[31:03.570 --> 31:07.690]  So, we are going to probably not play a whole lot more videos.
[31:08.010 --> 31:10.370]  But we're not going to focus on that topic too much.
[31:10.370 --> 31:18.510]  Suffice to say that there are different ways of manipulating different motion sensors as they relate to door controllers.
[31:18.510 --> 31:20.250]  So, that's the most common method.
[31:20.290 --> 31:22.210]  We're going to skip over a couple more videos.
[31:22.370 --> 31:24.410]  These are the sensors that we're talking about, right?
[31:24.410 --> 31:26.490]  So, these are normally mounted above doors.
[31:26.490 --> 31:28.510]  And they can be used in one of two ways.
[31:28.510 --> 31:37.010]  They can either be used for automatic egress, where simple motion will activate the electrified strike and allow you to exit.
[31:37.110 --> 31:41.450]  Or, it might be used for detecting forced entry.
[31:41.450 --> 31:46.770]  So, let me just see really quickly if those slides exist.
[31:46.770 --> 31:48.690]  So, pardon me one moment.
[31:48.690 --> 31:53.230]  I'm realizing that a couple of these slides might have been out of order.
[31:53.230 --> 32:00.250]  So, we will switch cameras briefly while we check that.
[32:00.810 --> 32:07.590]  Have you noticed the really sexy soldering station behind Babak?
[32:07.590 --> 32:10.190]  You know, I'm getting jealous.
[32:12.990 --> 32:21.730]  Okay, so yeah, I'll just explain it and talk through it since apparently I don't have the door contact slides in this deck.
[32:21.730 --> 32:24.470]  So, my apologies for that.
[32:24.590 --> 32:28.570]  One moment as we get the presentation spun back up.
[32:30.780 --> 32:33.240]  And then switching back.
[32:33.240 --> 32:34.120]  Alright.
[32:35.680 --> 32:40.120]  So, a lot of doors can have little door position switches.
[32:40.120 --> 32:44.980]  These are magnetic sensors built into the door and the door frame.
[32:44.980 --> 32:48.540]  And that allows the door controller to monitor the state of the door.
[32:48.540 --> 32:57.940]  So, basically there is some logic in the door controller that says if the door opens and it's not preceded by a valid card read,
[32:57.940 --> 33:03.520]  or it's not preceded by someone approaching the door and tripping one of these motion sensors,
[33:03.520 --> 33:08.040]  then it's going to assume a forced entry state and it's going to trigger an alarm.
[33:08.040 --> 33:11.880]  So, those are the two use cases for rec sensors, for example.
[33:11.880 --> 33:13.640]  There are other types of inputs.
[33:13.640 --> 33:14.900]  They're not as common.
[33:14.900 --> 33:17.020]  We're not going to talk about them in this talk.
[33:17.020 --> 33:21.420]  But if you're curious about that, definitely find me online or offline later.
[33:21.420 --> 33:24.180]  And I'm happy to go over extra stuff with you folks.
[33:24.180 --> 33:26.920]  So, we'll just go ahead and skip past more videos.
[33:27.000 --> 33:32.420]  But ultimately, enterprise access control systems contain a multitude of different components.
[33:32.420 --> 33:34.200]  So, we have our credentials.
[33:34.200 --> 33:37.280]  These are things that most folks are very familiar with.
[33:37.280 --> 33:42.860]  We have the readers, which come in a lot of different technologies, shapes, colors, sizes.
[33:43.100 --> 33:44.580]  We have the door hardware.
[33:44.580 --> 33:47.000]  That's what's actually securing the door.
[33:47.000 --> 33:51.840]  And then we have our motion sensors, our door position switches, etc.
[33:52.020 --> 33:55.900]  Our door controller, which actually handles all of the decision making.
[33:55.900 --> 34:05.300]  And then a server of some kind that actually contains the main primary user database that is synchronized across different door controllers.
[34:05.340 --> 34:06.780]  And these are all connected, right?
[34:06.780 --> 34:08.000]  They all play nice.
[34:08.000 --> 34:17.420]  Except, this is not a system that is connected in the way that some folks think it is.
[34:17.420 --> 34:24.240]  Each segment of an access control system operates independently of the other segments.
[34:24.240 --> 34:31.140]  And we can take advantage of gaps that exist between these different segments to manipulate the behavior of the system.
[34:31.980 --> 34:37.040]  So when we talk about RFID, when we talk about PROX, when we talk about MagStrike,
[34:37.040 --> 34:45.560]  what we're only talking about is that very, very first link between the credential itself and the card reader.
[34:45.560 --> 34:48.820]  It just has nothing to do with anything behind it.
[34:48.820 --> 34:52.200]  RFID operates independently of everything else.
[34:52.200 --> 34:58.580]  So when we talk about access control, we're not just talking about RFID, we're talking about everything.
[34:59.360 --> 35:03.810]  So first, to really understand a little bit of the history of RFID,
[35:04.100 --> 35:09.120]  I want to talk a little bit more about the history of credentials and cards in general.
[35:09.120 --> 35:11.820]  So a lot of folks have heard the term WIEGAND.
[35:12.000 --> 35:21.800]  WIEGAND is actually a man who moved and immigrated to the U.S. back in the early 1900s,
[35:21.800 --> 35:24.880]  originally to study music at Juilliard.
[35:24.880 --> 35:30.180]  And through his different experiences became very interested in audio amplifiers
[35:30.180 --> 35:38.140]  and ultimately became a wonderfully innovative researcher
[35:38.140 --> 35:43.460]  that came up with some really cool ideas and discoveries revolving around electromagnetics.
[35:44.320 --> 35:47.900]  Most people know him for his invention of the WIEGAND wire.
[35:47.900 --> 35:51.120]  And this is actually, even though it's very, very old technology,
[35:51.120 --> 35:55.400]  it's something that still permeates access control as it exists today.
[35:55.760 --> 36:00.240]  And understanding that this is where modern access control comes from is important
[36:00.240 --> 36:05.300]  because it informs a lot of the different weaknesses, limitations, and vulnerabilities
[36:05.300 --> 36:08.420]  that exist in access control still today.
[36:08.860 --> 36:12.080]  So let's talk a little bit about these WIEGAND wires.
[36:12.440 --> 36:14.240]  I'm going to skip a couple slides.
[36:14.240 --> 36:20.400]  I'm actually just going to switch to a downward-facing camera here.
[36:20.400 --> 36:26.440]  What I have here is an original WIEGAND swipe card.
[36:26.440 --> 36:28.560]  Let's move our camera down here.
[36:28.560 --> 36:35.480]  And I've actually also got an original WIEGAND reader.
[36:36.300 --> 36:39.480]  And we'll get this powered on as well.
[36:42.640 --> 36:44.620]  Adjust our camera.
[36:45.200 --> 36:46.900]  There we go.
[36:46.900 --> 36:53.480]  All right, so we have our display here that is connected to the card reader.
[36:53.480 --> 36:56.780]  This is kind of pretending to be a door controller of sorts, if you will.
[36:56.780 --> 36:59.980]  And I'm just going to swipe this card.
[36:59.980 --> 37:02.160]  And let's see if I do it right. There we go.
[37:02.160 --> 37:03.640]  So I got some data.
[37:03.760 --> 37:09.320]  This says Facility Code 40, card number 2115.
[37:09.320 --> 37:11.020]  Where did that data come from?
[37:11.220 --> 37:12.820]  These wires on the back.
[37:12.820 --> 37:17.700]  So I've actually taken a blade and I've removed a layer of the plastic from the card.
[37:17.700 --> 37:19.860]  So we can see these wires.
[37:19.860 --> 37:22.220]  These wires are very, very interesting.
[37:22.220 --> 37:26.500]  Because they exhibit a very peculiar electromagnetic property.
[37:26.500 --> 37:31.920]  As they pass over permanent magnets of a given polarity,
[37:32.760 --> 37:39.400]  the outside shell of the wire magnetizes at a different rate than the inside shell.
[37:39.400 --> 37:44.100]  And the reason that happens is because during manufacture, that wire is actually twisted.
[37:44.180 --> 37:50.160]  And so the outside of it is work-hardened in a way that makes it more brittle and more hard than the inside.
[37:50.740 --> 37:54.880]  When you do that to wire, something very interesting happens.
[37:55.200 --> 37:57.980]  So here we have a sense coil.
[37:58.100 --> 38:01.880]  And we have two permanent magnets oriented in opposite directions.
[38:01.880 --> 38:09.080]  As these weekend wires pass the first wire, and both the outside shell and the inner core of the wire are magnetized,
[38:09.080 --> 38:12.500]  and then you move that wire towards the second one,
[38:12.500 --> 38:20.060]  the center of the wire flips polarity faster and before the outside of the wire.
[38:20.060 --> 38:28.200]  And that results in a very interesting behavior that results in a field that can be picked up by this sense coil in the middle.
[38:28.200 --> 38:37.160]  So inside this reader here that you see on my small screen, there are actually multiple sense coils and multiple magnets.
[38:37.160 --> 38:44.600]  And what it's doing is as these wires are passing over it, those wires are briefly getting magnetized and demagnetized.
[38:44.600 --> 38:49.200]  And that sense coil is picking up these pulses coming back off of the wire.
[38:49.320 --> 38:52.060]  Now this was used in a lot of different applications.
[38:52.060 --> 38:59.460]  It was used in everything from anti-lock braking systems to machine automation in factories and such.
[38:59.460 --> 39:03.840]  It's in fact still used today in a lot of different mechanical applications.
[39:03.840 --> 39:10.500]  There are even casino chips that use weekend wires inside the chip to identify that the chip is authentic.
[39:10.500 --> 39:15.180]  Because weekend wires are historically very difficult to manufacture on your own.
[39:15.180 --> 39:21.360]  In fact, there's only one machine that I know of in the United States that still produces this type of wire.
[39:21.360 --> 39:24.940]  And it's not in operation very much.
[39:24.960 --> 39:31.680]  HID, which used to make weekend cards, some time ago sold their only machine to a company in Germany.
[39:31.680 --> 39:35.340]  So this is not something that is easy to do on your own.
[39:35.340 --> 39:43.120]  In fact, the only way that I can get my own weekend wire is dissolving it or harvesting it out of other weekend swipe cards.
[39:45.960 --> 39:49.600]  So, let me keep going here.
[39:50.320 --> 39:54.200]  And apologies if anyone's asking questions that I'm not seeing yet.
[39:54.200 --> 39:56.600]  I'm going to focus on questions during the Q&A.
[39:56.600 --> 40:00.660]  We have a lot of content, a lot of demos to get through, so I want to focus on getting through that.
[40:00.660 --> 40:03.460]  So I appreciate everyone's understanding with that.
[40:03.500 --> 40:14.340]  So weekend wires, as they're used in swipe card systems, they literally represent the 0 bits and the 1 bits of the credential data.
[40:14.340 --> 40:15.780]  What do I mean by that?
[40:15.780 --> 40:20.000]  Well, let's take a look at an example.
[40:20.540 --> 40:26.400]  I'm going to open up a notepad window here and walk people through.
[40:29.560 --> 40:32.860]  It is ultra cred for this old tech.
[40:32.960 --> 40:36.160]  It's the basics, it's the beginning of things.
[40:36.160 --> 40:39.420]  You see the red thread pretty soon.
[40:45.070 --> 40:51.470]  Alright, so what we're going to do is we're going to together decode...
[40:52.550 --> 40:55.490]  Well actually, for the sake of time, we won't do that.
[40:55.490 --> 40:57.210]  I'm just going to tell you how it all works.
[40:57.210 --> 41:04.290]  So here I have a real weekend card and here I have a fake one.
[41:04.610 --> 41:09.450]  So what I've done is I've just... I'm just going to switch this back here.
[41:13.900 --> 41:15.720]  Nope, not that one, that one.
[41:15.720 --> 41:21.700]  So what I've done here is I've just printed where the weekend wires would be on a card.
[41:21.700 --> 41:24.820]  To give you a little example here.
[41:24.820 --> 41:28.860]  So we're going to pretend that these are real wires on a card.
[41:28.860 --> 41:33.300]  And these top wires are the 0 bits, these bottom wires are the 1 bits.
[41:33.360 --> 41:36.580]  And the swipe direction is like this.
[41:36.580 --> 41:43.920]  So what that means is if we're flipping this over, these bits are at the beginning of the credential and these bits are at the end.
[41:43.920 --> 41:53.790]  Now, what I have here, and I'm going to switch windows here, is Notepad.
[41:54.010 --> 42:02.070]  And I'm going to copy this.
[42:03.670 --> 42:05.890]  And we're going to move Iceman down.
[42:05.890 --> 42:07.090]  Whoops, not that.
[42:07.910 --> 42:09.250]  Are you moving me down?
[42:09.250 --> 42:10.470]  Yeah, right?
[42:11.950 --> 42:13.310]  Alright.
[42:14.190 --> 42:21.610]  So, if you can see, I'm going to move this camera even closer.
[42:22.830 --> 42:27.890]  So, compare this binary string up here.
[42:27.890 --> 42:33.170]  If we compare it to this card from right to left, you'll see that it matches.
[42:33.170 --> 42:34.610]  So here's our 1.
[42:34.750 --> 42:41.750]  And then we have, I'm going to use a pencil as a pointer here to make my life a little bit easier.
[42:41.750 --> 42:43.870]  So we have a 1 and we have two 0s.
[42:43.870 --> 42:50.130]  We have 1, 0, 0, 1, 0, 1, 0, 1, 0, 0, 0, etc.
[42:50.130 --> 42:52.250]  And we have 26 of those wires.
[42:52.250 --> 43:02.250]  And that corresponds, in this particular example, with 26 bits that are read from the card by the reader and then sent onward to the door controller.
[43:02.250 --> 43:10.970]  So those original systems, developed in the early and mid 80s, just took that raw data and sent it to the door controller.
[43:10.970 --> 43:16.550]  And thus began the Wiegand communication protocol as a standard.
[43:16.610 --> 43:21.050]  Then there's this also here as a Wiegand bit format.
[43:21.050 --> 43:24.430]  So here we have the open 26-bit format.
[43:24.490 --> 43:29.250]  And if we take a look at this next slide here.
[43:29.250 --> 43:34.270]  This is just one example of a Wiegand bit format.
[43:34.270 --> 43:38.130]  Now, there are many. We're not going to talk about all of them. This is just one.
[43:38.170 --> 43:52.170]  The phrase Wiegand bit format refers to how you can decode a group of binary bits into something that we're going to arbitrarily call facility code and card number.
[43:52.170 --> 43:59.670]  So with the 26-bit format, for example, we have 26 bits. The first and last bits are parity.
[43:59.830 --> 44:04.370]  And then we have 8 bits used for the facility code and 16 for the card number.
[44:04.370 --> 44:07.790]  Again, that's just the open 26-bit format.
[44:07.790 --> 44:17.510]  So if we come back over here and pull up a little calculator here.
[44:39.230 --> 44:41.150]  There we go. Alright.
[44:41.630 --> 44:44.510]  Oh, Iceman is on top of my calculator.
[44:46.730 --> 44:48.230]  Crunching numbers, am I?
[44:48.310 --> 44:52.830]  Yeah, yeah, yeah. We're just going to move the calculator itself.
[44:53.390 --> 44:54.430]  There we go.
[44:55.150 --> 44:57.750]  Alright, so what do I mean by that?
[44:57.750 --> 44:59.850]  Here's those first 8 bits.
[44:59.850 --> 45:06.850]  If I copy that and convert from binary to hex, there's our decimal 42 value.
[45:07.010 --> 45:16.130]  And if I take this and I copy that and I convert it from binary to hex, or sorry, to decimal, there's our 16180 value.
[45:16.130 --> 45:22.330]  So the phrase facility code and card number really only refers to these little arbitrary values
[45:22.330 --> 45:29.450]  that we define as part of the whole PACS data stream that gets sent from the card reader to the door controller.
[45:29.450 --> 45:32.590]  If that doesn't fully make sense yet, that's okay.
[45:32.590 --> 45:35.390]  We can talk about it more in depth during Q&A.
[45:35.390 --> 45:39.270]  But just understanding that this is what the credential data itself is.
[45:39.270 --> 45:42.250]  This is your token that is actually granting you access.
[45:42.250 --> 45:46.030]  This is the important thing. Understanding that concept is important.
[45:46.710 --> 45:51.010]  So we have our WGAN data stream, and that's what's stored on the card.
[45:51.270 --> 45:54.750]  As technology progressed, we're going to switch back here.
[45:55.630 --> 46:00.230]  As technology progressed, oh, this is actually a cool link.
[46:00.230 --> 46:02.390]  I just forgot this slide was in this order.
[46:02.390 --> 46:08.610]  If you want to learn about more WGAN data formats, this is a great site that has some really wonderful tools.
[46:08.610 --> 46:16.810]  So if you go to cardinfo.barkweb.com.au, you'll actually see a bunch of different WGAN formats,
[46:17.190 --> 46:18.990]  some more popular ones.
[46:18.990 --> 46:23.250]  There are technically hundreds, if not thousands, of proprietary WGAN formats,
[46:23.250 --> 46:24.210]  and these are just some of them.
[46:24.210 --> 46:29.650]  But if you want to learn more about them, check out 0xFFFF's website there,
[46:29.650 --> 46:34.790]  and you'll see quite a few variety of formats.
[46:35.770 --> 46:41.910]  So inside a modern credential, when we're talking about prox cards, when we're talking about RFID,
[46:41.910 --> 46:45.870]  and I have actually an example here.
[46:45.950 --> 46:52.950]  So here we have a low-frequency card that is made of clear PVC rather than white plastic,
[46:52.950 --> 46:54.790]  so you can see what's inside.
[46:55.650 --> 47:02.070]  These are just containers that are different ways of holding that same WGAN data.
[47:02.070 --> 47:10.050]  What I mean by that is even when you present these different kinds of cards and credentials to the reader,
[47:10.050 --> 47:13.570]  the reader is just looking for that PAX data that it recognizes,
[47:13.570 --> 47:20.130]  and it's still converting that into that kind of somewhat ancient format that the door controller was expecting,
[47:20.130 --> 47:26.050]  because that's kind of the system that everyone agreed upon and everyone used for the sake of PAX compatibility.
[47:28.970 --> 47:34.310]  So when we talk about credential-to-reader communication, when we talk about RFID,
[47:34.310 --> 47:40.830]  when we talk about the signal between cards and readers, whether it's prox or I-class, what have you,
[47:40.830 --> 47:42.910]  these are all just different containers.
[47:43.170 --> 47:46.550]  So I'm going to give you another analogy to kind of get this point across.
[47:46.550 --> 47:52.650]  So we have, again, our RFID credential, we have our RFID reader, we have our door controller,
[47:52.650 --> 47:54.830]  and then we have our door hardware, right?
[47:54.830 --> 48:00.610]  So we're going to look at the access control system as if it's all people having a conversation.
[48:02.710 --> 48:07.770]  So that card reader is always looking for a credential, it's always interrogating, right?
[48:07.770 --> 48:11.770]  So here's our card reader saying, hello, hello, hello.
[48:11.930 --> 48:19.730]  Eventually, a credential comes along and it says, hello, I am 43-1048.
[48:19.950 --> 48:24.490]  The card reader says, oh yes, 43-1048, I will send that on.
[48:24.490 --> 48:30.850]  Door controller gets that information, they recognize the user, they go ahead and activate the electrified strike.
[48:32.570 --> 48:37.910]  Another user comes along. Maybe this is a different credential.
[48:37.910 --> 48:41.910]  It doesn't matter. Its conversation might be simpler.
[48:41.910 --> 48:49.870]  It might not have all of this extra syntax and structure or preamble, but the data is still formatted the same way.
[48:49.870 --> 49:01.790]  So that older, dumber credential, if you will, will still provide information the reader translates into a standard format that the door controller is expecting.
[49:03.470 --> 49:06.390]  So the syntax and preamble can vary.
[49:06.390 --> 49:15.370]  So for example, here is a different user and they might say the information in a different way.
[49:15.370 --> 49:20.170]  It might use a different communication language, so to speak.
[49:20.170 --> 49:31.130]  But that card reader, again, is still going to convert that into a sanitized standard format and send that to the door controller, which the door controller sees and does its thing.
[49:31.130 --> 49:41.570]  Notice that in all of these examples that we have discussed so far, the door controller doesn't have any idea about the rest of the conversation that is happening between the card and the reader.
[49:41.570 --> 49:49.610]  It doesn't matter if the card is prox or andala. It doesn't matter if it's a high security card or a low security card.
[49:49.610 --> 49:56.350]  Because when the data goes from the card reader to the door controller, it's still going to be formatted in that same standard way.
[49:57.570 --> 50:02.970]  So apologies for the sake of time. You're going to see me skipping over a couple of slides. That's okay.
[50:03.130 --> 50:06.430]  Some credentials, we're going to say, speak other languages.
[50:06.430 --> 50:12.790]  What I mean by that is that they might present the data in a way that initially doesn't make sense.
[50:13.030 --> 50:19.030]  So there's, you know, instead of prox, maybe that's like an EM card.
[50:19.590 --> 50:23.770]  I'll give you an example of what I think an andala conversation will look like.
[50:23.770 --> 50:31.710]  So andala is notorious for scrambling the order of how the bits are sent from the card to the reader.
[50:31.710 --> 50:39.750]  Iceman is laughing because we spent way too many hours debugging andala encoding and decoding problems a few months ago.
[50:40.630 --> 50:46.250]  So here's an example of a conversation between a card reader and, say, an andala credential.
[50:46.250 --> 50:52.470]  So instead of providing everything in a nice, easy-to-understand format, that andala credential might say,
[50:52.470 --> 50:59.090]  Oh, yes, here's a bunch of numbers. And if you understand the correct way to parse my sentence,
[50:59.090 --> 51:06.110]  then you will also know that this is the format that it actually wants and it sends that to the door controller.
[51:06.210 --> 51:12.470]  Again, this is really, really dumbed down. That is intentional because this is not the thing that we're learning about.
[51:12.470 --> 51:19.770]  What we're learning about right now is the foundation of the card reader is going to send sanitized data to the door controller.
[51:19.770 --> 51:24.270]  And that's important for understanding all the other demos and stuff that we're going to end up showing you.
[51:27.150 --> 51:34.170]  Then there's the difference between low frequency and high frequency. That's a very commonly misunderstood difference.
[51:34.170 --> 51:38.130]  So we're going to, again, use really, really simple analogies.
[51:38.190 --> 51:42.970]  So remember that that credential reader is looking to talk.
[51:44.130 --> 51:45.850]  So here is.
[51:47.550 --> 51:55.590]  Here is a example of a contactless smart card, right? So instead of just providing the information without any authentication,
[51:55.590 --> 51:59.810]  there is something that takes place between the card and the reader called mutual authentication.
[51:59.850 --> 52:09.030]  There is a secret handshake that takes place between the card and the reader that has to be mutually authenticated by both sides
[52:09.030 --> 52:14.590]  before that card data can be read from the card and then transmitted to the door controller.
[52:14.670 --> 52:21.010]  So if you are trying to, say, get this card's data and you don't understand that handshake protocol,
[52:21.010 --> 52:23.870]  you won't be able to actually get that credential information.
[52:27.530 --> 52:30.350]  So how many languages does your reader speak?
[52:30.350 --> 52:35.730]  I'm going to be showing you a couple of demos today using what are called migration or transition readers.
[52:35.730 --> 52:42.390]  Some readers will only work with one type of credential, meaning they only speak one language.
[52:42.390 --> 52:45.330]  Some readers will read multiple credential technologies.
[52:45.330 --> 52:52.210]  They might read Prox and Mandala and also some high-frequency stuff like MyFair or iClass or Desfire.
[52:52.210 --> 53:01.570]  So your card reader might speak multiple different languages and have the ability to read multiple credential technologies,
[53:01.570 --> 53:04.410]  but again, door controller does not care.
[53:04.410 --> 53:09.170]  Door controller is still, again, getting sanitized data from the card reader.
[53:09.630 --> 53:11.570]  We're going to skip ahead a little bit.
[53:13.130 --> 53:18.570]  So when you are cloning, you need to know the same language that the reader is speaking, right?
[53:18.570 --> 53:28.270]  So here's our attacker. Our attacker knows how to talk to the card and it records that information.
[53:28.270 --> 53:35.970]  And then when we approach the reader, we're going to speak the same language as the original card, right?
[53:37.770 --> 53:40.330]  What if you don't know the language?
[53:40.330 --> 53:45.810]  And what I mean by this, and we're going to do demos about all this, so I apologize if I'm going a little bit fast.
[53:45.810 --> 53:48.170]  I want to make sure that we have time to cover everything.
[53:48.630 --> 53:50.390]  What if you don't know the language?
[53:50.390 --> 53:58.310]  What if you have an encrypted credential or contactless smart card that you don't know the key or the password to?
[53:58.310 --> 54:01.370]  Or you don't know the protocol. How do you deal with that?
[54:01.370 --> 54:08.430]  Well, remember, the thing that we actually care about is the credential data itself, not necessarily the card.
[54:08.430 --> 54:10.330]  The card is just a container.
[54:10.770 --> 54:21.360]  So here, as an attacker, we're looking at a credential in a reader and we're like, man, they have a secret handshake.
[54:21.360 --> 54:26.140]  I don't know how to replicate that secret handshake.
[54:26.180 --> 54:31.080]  So instead, what we're going to do is we're going to take that reader off the wall.
[54:34.310 --> 54:36.190]  We're going to borrow him, right?
[54:36.190 --> 54:40.170]  So we're going to borrow the reader. We're not even going to connect it to a real door controller.
[54:40.170 --> 54:42.850]  We're just going to connect it to our own data logger.
[54:43.330 --> 54:46.390]  And we're going to give it some power and we're going to read a credential.
[54:46.390 --> 54:50.010]  So that card reader knows the secret handshake.
[54:50.010 --> 54:53.890]  It's able to talk to that credential and get that PAX data.
[54:53.890 --> 54:55.610]  And now we have it as well.
[54:56.210 --> 55:02.970]  If we can find another way of getting that PAX data to the door controller, then that's all we need.
[55:02.970 --> 55:04.230]  The game is over.
[55:09.260 --> 55:14.100]  So in this example where the card reader can speak multiple languages, so to speak,
[55:14.100 --> 55:18.880]  we can just provide that card information in a format that the reader understands
[55:18.880 --> 55:23.980]  and then the system will operate as if it was the original card.
[55:26.920 --> 55:32.220]  I'm going to give you one more analogy just to really kind of seal in the flavor, so to speak.
[55:32.220 --> 55:37.040]  Think of low frequency credentials like PROXX, Andala, IO, EM, and others.
[55:37.040 --> 55:43.240]  Think of them as just a file folder that all you have to do is open it and there's your WGAN data.
[55:43.240 --> 55:48.280]  It's just right there. You don't necessarily have to understand what all the ones and zeros mean,
[55:48.280 --> 55:52.600]  but you can just take that piece of paper, stick it in a copy machine, and now you have a duplicate.
[55:54.160 --> 56:00.300]  With smart cards, with high frequency credentials, what we're talking about is taking that credential information,
[56:01.020 --> 56:08.300]  locking it in a bag, and then putting that bag in a safe with a unique combination that only the reader knows.
[56:08.920 --> 56:13.180]  That's what we're talking about when we talk about MyFair, when we talk about iClass.
[56:13.340 --> 56:17.380]  Again, we're not going to get too deep into technical details because we don't have time for that.
[56:17.380 --> 56:21.700]  We have a lot of demos we want to show you, so we'll skip over these slides here.
[56:22.840 --> 56:29.560]  So, now that you understand that, you understand the building blocks of what I call a technology downgrade attack.
[56:29.680 --> 56:37.640]  This is a slide that anyone who has seen any of our trainings that we've done over the past 10 years or so may have seen.
[56:37.640 --> 56:42.140]  It shows an iClass SEOS card next to a Prox card.
[56:42.400 --> 56:49.100]  And what I explain is that as far as the door controller is concerned, these two cards are equal.
[56:49.100 --> 56:50.600]  Well, how can that be?
[56:50.600 --> 56:56.880]  What we're talking about is a situation where the card reader can read multiple credential technologies,
[56:56.880 --> 56:59.900]  but the PAX data on both cards is the same.
[56:59.900 --> 57:03.160]  That will make more sense once I start doing the demo.
[57:07.430 --> 57:14.810]  So, just to give you an example of readers that can speak multiple languages, so to speak,
[57:15.350 --> 57:22.370]  I have here an example of what we call a migration or transition reader.
[57:22.430 --> 57:27.950]  I'm going to try to get this to focus.
[57:32.460 --> 57:35.080]  All right, it's focused-ish.
[57:35.560 --> 57:36.620]  Let's see.
[57:39.290 --> 57:41.850]  Come on, camera, you can do it.
[57:41.850 --> 57:44.190]  A little bit up.
[57:44.770 --> 57:52.730]  Yeah, it really doesn't want to be focused.
[57:53.610 --> 57:55.270]  All right, it's close enough.
[57:55.270 --> 57:57.250]  We can see that that word says secured.
[57:57.390 --> 57:59.930]  So, this is an example of a migration reader.
[58:00.070 --> 58:05.490]  This is a reader that is used for customers that are upgrading from an older technology to a newer one.
[58:05.490 --> 58:09.790]  So, let's say you have a facility that is still using Prox or still using Andala,
[58:09.790 --> 58:13.530]  and you're like, man, we've got to upgrade, but we've got thousands of doors.
[58:13.530 --> 58:15.170]  We can't do all that in one weekend.
[58:15.170 --> 58:18.250]  That's unrealistic and sounds very expensive.
[58:18.370 --> 58:21.290]  So, instead, what you do is you use a migration reader.
[58:21.290 --> 58:26.310]  The migration reader can read both older credential technologies and new ones.
[58:26.370 --> 58:32.710]  So, at your own pace, your integrator can go out and upgrade readers in the building,
[58:32.710 --> 58:39.350]  and when an entire site has all the readers changed, then you can start upgrading credentials.
[58:39.350 --> 58:44.130]  So, while you're doing the upgrade, everyone who still has old cards, their cards still work,
[58:44.130 --> 58:47.970]  because those new readers speak multiple languages, right?
[58:48.090 --> 58:52.210]  Once all the readers have been replaced, then we can take people's old cards away
[58:52.210 --> 58:57.230]  and show them newer, secure credentials, which the readers also understand.
[58:57.310 --> 59:01.890]  However, what is not always done, a step that is often missed,
[59:01.890 --> 59:09.250]  is disabling that older credential technology in the reader and preventing those old cards from working.
[59:09.330 --> 59:15.790]  That's important, because if you don't do that, then you're susceptible to what's called a format downgrade attack.
[59:16.030 --> 59:18.970]  Not format, technology downgrade attack.
[59:18.970 --> 59:21.970]  This slide had a typo there.
[59:21.990 --> 59:29.690]  So, I'm going to show you multiple cards that are going to show up as the same credential,
[59:29.690 --> 59:31.530]  but they are different technologies.
[59:31.770 --> 59:35.810]  So, we have here a prox card.
[59:35.810 --> 59:39.710]  So, we're going to present that prox card, and that gives us access granted.
[59:39.710 --> 59:48.410]  Our WGAN data represented in hex, for the sake of simplicity, is 2547EC068.
[59:48.570 --> 59:51.950]  Here's a different card. This is an Indala card, right?
[59:51.950 --> 59:57.190]  Different card technology, but it's encoded with the same PAX data.
[59:57.190 --> 01:00:02.830]  When I present that credential, we can see the same data, 2547EC068.
[01:00:02.870 --> 01:00:08.170]  Again, for those of you who might have gotten lost, when I switched from binary to hex, it's the same data.
[01:00:08.170 --> 01:00:11.370]  We're just representing it in a different base.
[01:00:11.370 --> 01:00:14.970]  So, it's base 16, instead of base 2 or base 10.
[01:00:15.410 --> 01:00:20.810]  So, as far as the door controller is concerned, these two cards are the same.
[01:00:20.810 --> 01:00:25.690]  It's seeing the same data, because this reader speaks multiple languages.
[01:00:25.690 --> 01:00:30.850]  Here's a different example. Here is a I-class credential, right?
[01:00:30.850 --> 01:00:34.310]  And again, the same data is on the card.
[01:00:34.390 --> 01:00:42.350]  So, now you're beginning to understand that the card technology itself doesn't matter, because the card is just a container.
[01:00:42.350 --> 01:00:47.650]  It's what's inside that card that matters to both the reader and to the door controller.
[01:00:50.920 --> 01:00:56.600]  So, let's see here. Let me see if the live demos are coming up now or next.
[01:00:57.420 --> 01:01:00.780]  We're going to do all the live demos at once, so I'm going to get through all of this content.
[01:01:00.780 --> 01:01:04.640]  Iceman, what do you think? Should we get through all the slides and just do all the live demos at once?
[01:01:05.140 --> 01:01:08.480]  Let's go all the slides and then we'll take the live demos afterwards.
[01:01:08.480 --> 01:01:09.740]  Yeah, I like that idea.
[01:01:09.920 --> 01:01:12.000]  I like that concept.
[01:01:12.680 --> 01:01:15.540]  So, remember, technology downgrade attack.
[01:01:17.980 --> 01:01:22.840]  So, now we talked about cards to reader communication.
[01:01:22.940 --> 01:01:27.400]  Let's talk briefly about reader to panel communication.
[01:01:27.400 --> 01:01:30.820]  What does it look like after the reader has read the credential?
[01:01:30.960 --> 01:01:37.000]  Well, here is that visual representation of WGAN data on the wire, but I can do you one better.
[01:01:37.000 --> 01:01:38.660]  I can actually show you.
[01:01:39.780 --> 01:01:44.720]  What I'm going to do is I'm actually just going to remove this reader.
[01:01:44.720 --> 01:01:57.900]  So, here's that reader that we were just using, and I am going to connect it to a logic analyzer.
[01:02:01.360 --> 01:02:03.160]  So, there's our card.
[01:02:25.000 --> 01:02:31.600]  Alright, so, again, we have our reader, which is currently covered up by Iceman's beautiful face.
[01:02:31.600 --> 01:02:34.880]  So, I'm just going to move this down here.
[01:02:35.260 --> 01:02:36.560]  So, here's our reader.
[01:02:36.740 --> 01:02:38.440]  Good, our video is still working.
[01:02:38.740 --> 01:02:43.200]  And what I'm going to do is I already have my channels set up.
[01:02:43.200 --> 01:02:50.540]  So, this channel 0, channel 1 is actually directly connected to those WGAN data lines coming out of the reader.
[01:02:50.540 --> 01:02:54.840]  So, this is the electrical signals that the door controller would be seeing.
[01:02:55.460 --> 01:02:58.540]  And I'm going to take that same I-class credential.
[01:02:59.420 --> 01:03:01.920]  So, here's an I-class credential, right?
[01:03:01.920 --> 01:03:05.660]  And I'm going to start recording, and I'm going to present it to the reader.
[01:03:05.660 --> 01:03:07.580]  And you just saw a blip go by really fast.
[01:03:07.580 --> 01:03:10.660]  Let's go ahead and zoom out and zoom back in.
[01:03:11.660 --> 01:03:14.940]  And we have the data represented in two different ways here, actually.
[01:03:14.940 --> 01:03:17.440]  So, we have, here's the digital representation up here.
[01:03:17.440 --> 01:03:20.660]  So, we have the line pulled high, the line pulled low.
[01:03:20.660 --> 01:03:24.240]  And here we can see what that actually looks like from an analog perspective.
[01:03:24.240 --> 01:03:30.660]  So, normally those data lines are held at 5 volts, and then they're pulsed briefly to 0 volts, and then released again.
[01:03:30.780 --> 01:03:38.860]  Now, what I really love about this particular example, and I'm going to try to zoom this so it all fits on the screen.
[01:03:38.860 --> 01:03:39.560]  Perfect.
[01:03:39.560 --> 01:03:43.180]  Alright, remember this fake Wigan card that we made?
[01:03:43.180 --> 01:03:44.760]  Let's take another look.
[01:03:45.000 --> 01:03:47.850]  I told you that all those cards have the same data.
[01:03:49.800 --> 01:04:03.670]  If you look at the data represented in the logic analyzer, you'll notice that all the ones and zeros line right up.
[01:04:03.670 --> 01:04:13.050]  So, here we have 1, 0, 0, 1, 0, 1, and here we have 1, 0, 0, 1, 0, 1, and so on and so forth.
[01:04:13.050 --> 01:04:14.670]  It's literally that simple.
[01:04:14.670 --> 01:04:24.690]  As the data comes out of the reader, it's being converted into these very, very basic electrical signals that the door controller interprets as logical ones and zeros.
[01:04:24.810 --> 01:04:30.310]  So, there's no extra layers on top of it beyond that.
[01:04:30.310 --> 01:04:44.550]  We just scanned an I-class credential, but we can see by connecting to the wires that we're still just seeing the same data as if it was still a Wigan credential from the 1980s.
[01:04:44.690 --> 01:04:51.350]  And that is a really important piece of context that I think is important to be aware of.
[01:04:51.610 --> 01:05:04.980]  So, we'll go ahead and move that back out of the way, and we'll switch here.
[01:05:05.700 --> 01:05:12.000]  So, again, no matter what you're talking about as it relates to the credential, that's just talking about the first link.
[01:05:12.000 --> 01:05:16.660]  It has nothing to do with that second piece of the communication.
[01:05:16.660 --> 01:05:19.880]  That is usually Wigan. Not always.
[01:05:19.880 --> 01:05:24.260]  There are a couple of data protocols and communication protocols that exist.
[01:05:24.280 --> 01:05:26.260]  Most of them are unencrypted.
[01:05:26.260 --> 01:05:34.900]  OSDP version 2 has something called secure channel protocol, which can encrypt the data between the card reader and the door controller.
[01:05:34.900 --> 01:05:41.480]  It does have to be set up correctly for it to work reliably, but that is the only way that that credential information is encrypted.
[01:05:41.480 --> 01:05:50.120]  And it's one of the mitigations that we will discuss at the end for ways that you can defend your access control system against malicious manipulation.
[01:05:51.540 --> 01:06:01.100]  That Wigan communication, that signal that you all just saw on the logic analyzer, is something that we can intercept, and we can take advantage of how simple it is.
[01:06:01.100 --> 01:06:03.680]  There have been a number of tools over the years that do this.
[01:06:03.820 --> 01:06:10.400]  Years and years ago, Zach Franken and Adam Lloyd built a beautiful tool called the Gecko, and then later on the Chameleon.
[01:06:10.400 --> 01:06:16.720]  And its only job was to sit on those Wigan wires, intercept that data, and then allow you to come back and replay it.
[01:06:16.720 --> 01:06:20.760]  In recent years, there have been a number of open source projects that do the same thing.
[01:06:20.760 --> 01:06:26.100]  A few years ago, Mark Visaggio and Eric Evinchik released the BLE key,
[01:06:26.100 --> 01:06:33.540]  which is a little battery-powered tool that you punch down behind the reader and it just monitors those Wigan data lines and records credential information.
[01:06:33.920 --> 01:06:41.760]  And then a little bit more recently, also still a few years ago, one of our other friends, Kenny McElroy,
[01:06:41.760 --> 01:06:48.800]  he developed the ESP key, which was powered off the bus rather than the battery, and used Wi-Fi instead of Bluetooth.
[01:06:48.800 --> 01:06:53.400]  But the concept was the same. This is something that you can install behind the reader,
[01:06:53.400 --> 01:06:58.540]  and intercept that credential information, and then just come back and replay it.
[01:06:58.540 --> 01:07:04.300]  If we have time, after all of our other cooler demos, in my opinion, we can do a demo of that as well.
[01:07:04.300 --> 01:07:12.220]  But I just wanted to cover this as something that is a completely valid attack still today on any systems that are running Wigan.
[01:07:14.930 --> 01:07:19.150]  So what we're doing with an ESP key is, again, if we think about our analogy,
[01:07:19.710 --> 01:07:24.030]  when that credential data is read from the card and transmitted from the reader to the door controller,
[01:07:24.030 --> 01:07:29.630]  the ESP key or the Gecko or the BLE key, it's listening and it's able to record that information.
[01:07:29.730 --> 01:07:34.970]  Then when we as an attacker approach the door, we don't actually deal with the card reader at all.
[01:07:34.970 --> 01:07:41.250]  We don't have a card even, necessarily. What we do is we interact directly with the ESP key,
[01:07:41.250 --> 01:07:45.490]  check to see if there's any credentials recorded, and then tell the ESP key to replay it.
[01:07:45.490 --> 01:07:49.650]  The door controller, not knowing that there's another device connected to the line,
[01:07:49.650 --> 01:07:53.150]  will see the same data and process the transaction the same way.
[01:07:56.160 --> 01:08:00.000]  Just a couple of photos of the install. We'll skip over the video.
[01:08:00.000 --> 01:08:03.900]  The last piece, panel to server communication.
[01:08:04.040 --> 01:08:08.680]  And we have a special surprise demo with this one as well that hopefully we have time for.
[01:08:10.300 --> 01:08:16.180]  Remember, these door controllers often do run on Ethernet, especially today.
[01:08:16.180 --> 01:08:24.040]  And remember how I said they are basically embedded Linux devices that maybe aren't always super protected?
[01:08:24.040 --> 01:08:33.000]  So both the software and the door controllers themselves have to be protected properly on a segmented network.
[01:08:33.000 --> 01:08:35.480]  Otherwise, interesting things can happen.
[01:08:35.520 --> 01:08:40.920]  Because these door controllers are usually Linux devices or other embedded hardware
[01:08:40.920 --> 01:08:46.460]  that are not part of the normal IT infrastructure, they're not part of the normal patch cycle.
[01:08:46.460 --> 01:08:50.760]  In fact, a lot of vendors specifically call out in the instructions
[01:08:51.640 --> 01:09:01.020]  that you don't have to tell IT about this because this is just a physical security appliance.
[01:09:01.020 --> 01:09:04.540]  This is not a computer, even though it actually is a computer.
[01:09:04.660 --> 01:09:11.380]  And so you often times run into situations where libraries, open source libraries used by Linux hardware
[01:09:11.380 --> 01:09:18.460]  are criminally out of date or they have security holes or other bugs or whatnot in the system, in the firmware
[01:09:18.460 --> 01:09:25.080]  that can be exploited. And door controllers are also not something that most users update
[01:09:25.080 --> 01:09:27.380]  because they don't want their system to go down.
[01:09:27.420 --> 01:09:32.920]  So the only time that you update your firmware on a door controller in practice is when there is a problem.
[01:09:33.220 --> 01:09:38.900]  I don't know of any of my clients, actually, that routinely update the software, rather the firmware,
[01:09:38.900 --> 01:09:43.860]  on their door controllers. And you'll see why that can be a problem here in a moment.
[01:09:43.860 --> 01:09:50.100]  And actually, there was a few years ago, there was a really great toolkit called Concierge.
[01:09:50.100 --> 01:09:55.480]  If people have trouble finding it on GitHub, I'll post the link during the Q&A.
[01:09:55.580 --> 01:10:02.540]  Concierge was a collection of exploits that were patched, but then released,
[01:10:02.540 --> 01:10:09.280]  that allows you to directly scan for and then compromise different brands and models of door controllers.
[01:10:09.280 --> 01:10:14.780]  So instead of attacking the card or attacking the reader, you can attack the door controller itself
[01:10:15.080 --> 01:10:21.540]  and either tell it to open a door or add new users to the local database, etc. Stuff like that.
[01:10:22.960 --> 01:10:26.020]  How can you target it? Well, you've got to be on the same network.
[01:10:26.100 --> 01:10:28.960]  And initially, you're like, OK, well, that's a little hard, right?
[01:10:28.960 --> 01:10:32.800]  I've got to either break their Wi-Fi or find a port to plug into.
[01:10:32.800 --> 01:10:39.040]  Not necessarily. You can actually find a lot of door controllers directly connected to the Internet
[01:10:39.040 --> 01:10:45.400]  using Google or using Shodan, and you will find different door controllers
[01:10:45.400 --> 01:10:51.020]  that, again, are running outdated software that are directly connected to the Internet.
[01:10:51.380 --> 01:10:55.840]  How outdated? Well, the couple that we found, when we tried to connect to it,
[01:10:55.840 --> 01:11:01.920]  the version of SSL was so old, all the modern browsers we used wouldn't let us try to talk to it.
[01:11:03.560 --> 01:11:10.120]  Instead, we had to manually turn off SSL and connect to it over HTTP.
[01:11:10.440 --> 01:11:15.720]  And then, of course, you have default credentials, admin, admin, used to log in.
[01:11:15.720 --> 01:11:19.000]  Again, that's an example of what not to do with your door controller
[01:11:19.000 --> 01:11:24.380]  and why it's so important to be mindful of how integrators are deploying and installing hardware.
[01:11:26.540 --> 01:11:29.420]  This is where the slides go a little bit sideways.
[01:11:29.420 --> 01:11:32.740]  And I appreciate everyone being very forgiving here.
[01:11:32.740 --> 01:11:35.720]  We have a lot of topics that we were trying to cram into this,
[01:11:35.720 --> 01:11:41.340]  and we have now just about 55 minutes left for demos, so we're just going to get through a couple more slides.
[01:11:42.060 --> 01:11:48.100]  I mentioned that different card readers can have different configurations.
[01:11:48.580 --> 01:11:50.660]  They can read different technologies.
[01:11:50.660 --> 01:11:55.280]  And I mentioned that a best practice is to turn off those older technologies
[01:11:55.280 --> 01:11:59.700]  in order to protect the system from being manipulated.
[01:11:59.760 --> 01:12:03.560]  How do you do that? If weekend is one way, how do you do that?
[01:12:03.560 --> 01:12:05.360]  There's no Ethernet port on it.
[01:12:05.360 --> 01:12:08.840]  Well, there are things called configuration cards.
[01:12:08.840 --> 01:12:11.720]  Configuration cards are not unique to one vendor.
[01:12:11.780 --> 01:12:15.120]  Many vendors support different types of configuration cards
[01:12:15.120 --> 01:12:19.800]  that are special cards that the reader will only read during its boot-up cycle,
[01:12:19.800 --> 01:12:22.980]  and it will reconfigure how that reader operates.
[01:12:22.980 --> 01:12:26.560]  That can change things like the key that's stored on the reader,
[01:12:26.560 --> 01:12:31.920]  so if the customer wants a special or a custom or a unique key, they can do that.
[01:12:31.920 --> 01:12:35.580]  They can also change which card technologies are supported by the reader,
[01:12:35.580 --> 01:12:38.900]  so you can turn different technologies on and off.
[01:12:39.980 --> 01:12:42.240]  There's a lot of other behaviors you can change as well.
[01:12:42.240 --> 01:12:44.940]  You can change the LED color, you can change whether or not it beeps,
[01:12:44.940 --> 01:12:47.380]  how long it beeps for, all that stuff.
[01:12:47.380 --> 01:12:51.040]  All that can be changed through the use of configuration cards.
[01:12:51.040 --> 01:12:54.220]  That's important to keep in mind once we get to our demos.
[01:12:55.800 --> 01:13:00.300]  So using configuration cards, you can do a couple of interesting things,
[01:13:00.300 --> 01:13:02.860]  and we're going to show you demos of all this stuff.
[01:13:03.900 --> 01:13:11.020]  A new exploit, a topic that is not completely brand new,
[01:13:11.020 --> 01:13:14.720]  but no one has really talked about, is a method of doing a denial-of-service attack
[01:13:15.840 --> 01:13:20.820]  against certain older readers that prevent valid users from using the facility.
[01:13:20.920 --> 01:13:24.340]  We're also going to do a live demo of a tech downgrade attack that I mentioned.
[01:13:24.340 --> 01:13:28.260]  We're going to take secure, high-security credentials that,
[01:13:28.260 --> 01:13:30.640]  as far as we know, there's no public thing on Defeat.
[01:13:30.640 --> 01:13:34.340]  People don't know how to break DESFire, EV1, EV2.
[01:13:34.580 --> 01:13:37.620]  People don't really know how to break CEOS currently.
[01:13:37.700 --> 01:13:40.420]  But depending on how the rest of the system is configured,
[01:13:40.420 --> 01:13:42.540]  we'll see how we don't even need to do that
[01:13:42.540 --> 01:13:44.940]  to necessarily create a working clone.
[01:13:45.200 --> 01:13:47.560]  And then we're also going to do an example of key recovery.
[01:13:47.560 --> 01:13:51.160]  This is related to the low-class attack, or leak key extraction,
[01:13:51.160 --> 01:13:52.980]  that was released many years ago.
[01:13:53.180 --> 01:13:57.060]  But Iceman has written some new tools for the Proxmark 3
[01:13:57.060 --> 01:13:59.820]  to make that even easier and even faster.
[01:14:00.160 --> 01:14:02.740]  And we spent a lot of time testing it and debugging it
[01:14:02.740 --> 01:14:05.920]  over the past couple of weeks, and it's so freaking awesome.
[01:14:05.920 --> 01:14:07.760]  I'm really excited to share it with you all.
[01:14:11.410 --> 01:14:14.930]  So, before we get to demos, Iceman, you want to talk a little bit
[01:14:14.930 --> 01:14:16.670]  about some of the new tools that have come out
[01:14:16.670 --> 01:14:19.730]  within the past six months regarding RFID?
[01:14:20.730 --> 01:14:22.250]  Yes, I do, actually.
[01:14:22.250 --> 01:14:26.710]  And that was an amazing crunching of the old PAX background.
[01:14:27.110 --> 01:14:29.270]  Defeating the PAX man ghost.
[01:14:29.670 --> 01:14:35.190]  And yes, you got a lot of info about what's the setup now.
[01:14:35.190 --> 01:14:37.650]  So what is the tools that we use?
[01:14:38.010 --> 01:14:41.130]  What are we using today when we do this stuff?
[01:14:41.210 --> 01:14:44.010]  I need to just move a little bit here on the slideshow.
[01:14:44.010 --> 01:14:44.630]  Sure.
[01:14:46.110 --> 01:14:49.710]  And let's see, I'm on almost the same part of you.
[01:14:50.830 --> 01:14:51.990]  And there we go.
[01:14:52.490 --> 01:14:56.450]  It's because the screens I get from Parvac is very blurry,
[01:14:56.450 --> 01:14:57.970]  so I can't see what it says on it.
[01:14:58.450 --> 01:15:00.050]  Even if I know it by heart.
[01:15:00.450 --> 01:15:02.470]  So, the new tools of 2020.
[01:15:02.470 --> 01:15:05.630]  We talked about the BLE key and ASP key,
[01:15:05.630 --> 01:15:07.950]  and of course, everybody knows the Proxmark.
[01:15:08.350 --> 01:15:11.270]  There was... Adam Lorre is a famous name,
[01:15:11.270 --> 01:15:13.010]  he's also called as RFIDidiot,
[01:15:13.010 --> 01:15:18.110]  and he's an amazing RFID researcher, slash hacker,
[01:15:18.110 --> 01:15:22.630]  and DEFCON quarter manager, quarter major?
[01:15:22.630 --> 01:15:23.290]  Quarter master.
[01:15:23.530 --> 01:15:25.930]  Quarter master, okay, right, sorry.
[01:15:26.570 --> 01:15:28.450]  Got to get the titles correct.
[01:15:29.410 --> 01:15:35.990]  And he has just recently released and made something for NFC tools,
[01:15:35.990 --> 01:15:38.330]  the LibNFC-based version.
[01:15:38.330 --> 01:15:40.390]  It is called NFC iClass,
[01:15:40.390 --> 01:15:47.470]  and that's a software that gives the possibility to use your old other readers,
[01:15:49.110 --> 01:15:51.710]  PM53532 or 5333,
[01:15:51.710 --> 01:15:54.590]  and you can now communicate with iClass.
[01:15:54.590 --> 01:15:56.670]  It wasn't possible before.
[01:15:56.670 --> 01:16:02.670]  You have to see, iClass has been like a little bit of a separate world,
[01:16:02.670 --> 01:16:04.330]  because it's been a little bit special,
[01:16:04.330 --> 01:16:06.110]  and the crypto involved with it,
[01:16:06.110 --> 01:16:09.490]  it wasn't adapted to different tools,
[01:16:09.490 --> 01:16:11.810]  and also about keys, of course,
[01:16:11.810 --> 01:16:15.190]  and HRD being known as a little bit hard hands.
[01:16:16.150 --> 01:16:21.050]  So, this is a major step that he did with this software,
[01:16:21.050 --> 01:16:23.290]  because it enables us to do things.
[01:16:23.490 --> 01:16:25.550]  And the other one is the Proxmark,
[01:16:25.550 --> 01:16:27.610]  which you all know that I know about,
[01:16:27.610 --> 01:16:30.010]  and you know that everybody else knows about,
[01:16:30.010 --> 01:16:33.110]  which is the Swiss armor knife of RFID hacking.
[01:16:33.630 --> 01:16:38.730]  And now what happened here is some really intensive changes
[01:16:38.730 --> 01:16:41.570]  to the firmware and client used,
[01:16:41.570 --> 01:16:44.030]  which includes what I would call FPGA changes,
[01:16:44.030 --> 01:16:45.930]  and a new iClass standalone mode,
[01:16:45.930 --> 01:16:48.950]  which involves some separate modes I will talk more about,
[01:16:48.950 --> 01:16:51.850]  because it comes related to the surreptitious attacks
[01:16:51.850 --> 01:16:53.890]  that we want to demo for you.
[01:16:53.890 --> 01:16:57.230]  So, without further ado, next slide.
[01:16:57.750 --> 01:16:59.290]  Oh, yeah, my apologies.
[01:16:59.490 --> 01:17:03.870]  Yeah, my assistant Babak has to do this.
[01:17:04.430 --> 01:17:06.010]  And for you, Rick, I'm going to do this.
[01:17:06.010 --> 01:17:08.450]  Because it's DEF CON, you're going to get this one.
[01:17:08.450 --> 01:17:09.570]  It's for you, Rick.
[01:17:12.010 --> 01:17:13.330]  I'm Iceman.
[01:17:13.610 --> 01:17:14.730]  And that's it.
[01:17:15.870 --> 01:17:21.770]  So, yes, NFC tools, iClass by Adam Lorry.
[01:17:21.770 --> 01:17:24.950]  It uses the LibNFC behind it,
[01:17:24.950 --> 01:17:27.510]  and you see Filip Tøven and DotJocks,
[01:17:27.510 --> 01:17:29.910]  you know, the little puppet there,
[01:17:29.910 --> 01:17:31.590]  and they make it great.
[01:17:31.590 --> 01:17:34.910]  It tricks, and it uses a trick,
[01:17:34.910 --> 01:17:40.470]  because the LibNFC is not very good on ISO 15693 protocol,
[01:17:40.470 --> 01:17:42.470]  so it uses a trick where it actually,
[01:17:42.470 --> 01:17:44.350]  because iClass can talk to different tech,
[01:17:44.350 --> 01:17:47.930]  is ISO 443B or 15693.
[01:17:47.930 --> 01:17:50.190]  So, on this version,
[01:17:50.190 --> 01:17:53.270]  it tricks the reader to use that to talk to an iClass.
[01:17:53.270 --> 01:17:55.750]  The thingy, thingy, thingy,
[01:17:55.750 --> 01:17:57.670]  the fine, fine thing here is, of course,
[01:17:57.670 --> 01:18:01.970]  that what we are interested in is that this tool,
[01:18:01.970 --> 01:18:03.690]  Adam was so gracious,
[01:18:03.690 --> 01:18:06.670]  he made us config cards,
[01:18:06.670 --> 01:18:09.810]  possibilities to generate simply by open source.
[01:18:10.150 --> 01:18:12.590]  Other people, like Babak and other people, of course,
[01:18:12.590 --> 01:18:16.410]  have had the possibility to generate config cards at will,
[01:18:16.410 --> 01:18:18.250]  like many of us.
[01:18:18.250 --> 01:18:21.850]  But it hasn't been publicly released in the way that it has done now,
[01:18:21.850 --> 01:18:26.910]  so this is a good stepping stone for what is to come,
[01:18:26.910 --> 01:18:28.190]  of what we want to see.
[01:18:28.410 --> 01:18:30.950]  You can skip to the next slide.
[01:18:33.450 --> 01:18:35.830]  I'm not going to talk so much about the config card.
[01:18:36.370 --> 01:18:41.090]  It's the concept of having a config card that's interesting,
[01:18:41.090 --> 01:18:42.930]  not what the config card is,
[01:18:42.930 --> 01:18:44.070]  and how it's done, or whatever.
[01:18:44.070 --> 01:18:45.310]  You can look at that software.
[01:18:45.310 --> 01:18:46.970]  So, the next one is...
[01:18:47.570 --> 01:18:49.990]  We're not supporting I-Class timeline.
[01:18:50.190 --> 01:18:51.350]  Yes, yes.
[01:18:51.370 --> 01:18:54.990]  So, given the support for I-Class in Proxmox,
[01:18:54.990 --> 01:18:58.270]  I don't know how it is, but Proxmox is an open source tool,
[01:18:58.270 --> 01:19:00.410]  and it's as good as the firmware is,
[01:19:00.410 --> 01:19:04.590]  and it has had a story of two different repos,
[01:19:04.590 --> 01:19:06.950]  mainly mine and the official repo.
[01:19:06.990 --> 01:19:12.930]  And the thing is how this happened to be able to speak I-Class.
[01:19:12.930 --> 01:19:17.050]  And it started 2010-2013, where Ruelle researchers,
[01:19:17.050 --> 01:19:20.750]  cryptological researchers called Ruelle and Milosh and all those others,
[01:19:20.750 --> 01:19:24.770]  did some amazing attacks and research about the I-Class system,
[01:19:24.770 --> 01:19:27.290]  the encrypto, the hashes used,
[01:19:27.290 --> 01:19:30.110]  and released tools and attacks about it.
[01:19:30.110 --> 01:19:35.050]  And they also released some Malgos into the Proxmox repo,
[01:19:35.450 --> 01:19:37.350]  but that was it.
[01:19:37.650 --> 01:19:41.450]  And skipping a little bit forward, 2014-2015,
[01:19:41.770 --> 01:19:44.050]  a user called Hollyman, he did some improvements,
[01:19:44.050 --> 01:19:49.050]  where he actually implemented the crypto, the I-Class crypto use,
[01:19:49.050 --> 01:19:50.910]  which was a major thing,
[01:19:50.910 --> 01:19:55.570]  because before that Proxmox couldn't really talk I-Class.
[01:19:55.670 --> 01:20:00.430]  It's a deviant of ISO 15693,
[01:20:00.430 --> 01:20:02.590]  so I-Class is a little bit different,
[01:20:02.590 --> 01:20:04.730]  and you need the crypto part as well.
[01:20:04.730 --> 01:20:06.830]  So he did that, which is an amazing feature,
[01:20:06.830 --> 01:20:11.210]  and he also implemented, from that research made before,
[01:20:11.210 --> 01:20:12.490]  from Ruelle and everybody,
[01:20:12.490 --> 01:20:15.990]  he also made that elite key recovery attack,
[01:20:15.990 --> 01:20:18.470]  which we all call low-class nowadays,
[01:20:18.470 --> 01:20:19.770]  which has been, since then,
[01:20:19.770 --> 01:20:23.010]  has been a state-of-the-art attack to recover elite keys,
[01:20:23.350 --> 01:20:25.690]  based on Carl and Babax and all other people
[01:20:25.690 --> 01:20:28.570]  who helped to get the readers and all that.
[01:20:28.570 --> 01:20:30.070]  It's amazing. It's a shout-out.
[01:20:30.070 --> 01:20:32.430]  I'm just doing a shout-out to people who have done this,
[01:20:32.430 --> 01:20:35.290]  and I want to show appreciation for them,
[01:20:35.290 --> 01:20:36.990]  because that's what it is.
[01:20:37.790 --> 01:20:40.290]  Skipping forward again, 2008 and 2019,
[01:20:41.050 --> 01:20:43.570]  until then, nothing much happened with I-Class.
[01:20:43.670 --> 01:20:45.550]  The support worked.
[01:20:45.550 --> 01:20:47.130]  It was bad modulation.
[01:20:47.130 --> 01:20:48.650]  You had to find the right spot.
[01:20:48.650 --> 01:20:50.910]  If you ever used a Proxmog, you always were like,
[01:20:50.910 --> 01:20:52.310]  do you have the right antenna?
[01:20:52.310 --> 01:20:53.770]  Do you have the right distance?
[01:20:53.770 --> 01:20:58.710]  It's fidgety, and you might have been able to do the sniffing, snooping, and reading.
[01:20:58.710 --> 01:21:00.330]  It's a painful experience.
[01:21:00.330 --> 01:21:03.450]  If you've been as long as I've been into the Proxmog world,
[01:21:03.450 --> 01:21:05.710]  where it's come from, you know,
[01:21:05.710 --> 01:21:07.730]  crashing and bugging and everything like that,
[01:21:07.730 --> 01:21:09.470]  it's been painful.
[01:21:09.730 --> 01:21:12.330]  2018-2019, another user,
[01:21:12.330 --> 01:21:15.170]  who actually is another amazing contributor,
[01:21:15.170 --> 01:21:16.330]  is Peavey.
[01:21:16.330 --> 01:21:18.970]  And he did some historic use improvements on this
[01:21:19.730 --> 01:21:23.450]  code and form interface class.
[01:21:23.450 --> 01:21:26.750]  We majorly improved this.
[01:21:26.750 --> 01:21:29.190]  I talk majorly.
[01:21:29.190 --> 01:21:33.570]  And that really made the official repo,
[01:21:33.570 --> 01:21:35.130]  he works in the official repo,
[01:21:35.130 --> 01:21:37.110]  it makes it super, super stable.
[01:21:37.410 --> 01:21:40.090]  So all of a sudden, we have a good communication.
[01:21:40.210 --> 01:21:41.790]  We have all the pieces in place.
[01:21:41.790 --> 01:21:45.570]  Remember now, we have a public config card-generated software.
[01:21:45.690 --> 01:21:48.450]  We have good stability in Proxmog,
[01:21:48.450 --> 01:21:49.370]  reading of the cryptos,
[01:21:49.370 --> 01:21:51.730]  and we now have a very good way of doing it.
[01:21:51.730 --> 01:21:54.250]  I can talk more about how it's actually done,
[01:21:54.250 --> 01:21:55.090]  how it changes,
[01:21:55.090 --> 01:21:57.030]  and why it's kind of awesome the way he did it,
[01:21:57.030 --> 01:21:58.890]  because he went kind of deep.
[01:21:58.890 --> 01:22:00.490]  I will talk a little more about it.
[01:22:00.510 --> 01:22:03.650]  And 2020 is what I call Merge Hell start.
[01:22:03.930 --> 01:22:06.250]  And I will... yeah.
[01:22:06.610 --> 01:22:07.850]  Merge Hell is something...
[01:22:08.450 --> 01:22:09.930]  It's a little my fault.
[01:22:10.390 --> 01:22:10.750]  So...
[01:22:11.730 --> 01:22:13.150]  Yeah, you want to talk about that?
[01:22:13.150 --> 01:22:13.790]  Yeah, yeah, yeah.
[01:22:13.790 --> 01:22:16.430]  So I met Iceman for the first time in person last year,
[01:22:16.430 --> 01:22:18.490]  at DEF CON last year.
[01:22:18.790 --> 01:22:20.450]  And I pulled him aside at some point,
[01:22:20.450 --> 01:22:22.170]  and I'm like, hey, first of all,
[01:22:22.170 --> 01:22:23.570]  thank you for all the hard work.
[01:22:23.570 --> 01:22:25.110]  Like, I can't write code.
[01:22:25.190 --> 01:22:26.570]  Like, I wish I could contribute more.
[01:22:26.570 --> 01:22:27.950]  I can contribute in testing,
[01:22:27.950 --> 01:22:29.310]  I can contribute hardware,
[01:22:29.310 --> 01:22:31.050]  I can do a lot of other stuff.
[01:22:31.050 --> 01:22:32.430]  I'm not a great coder.
[01:22:32.430 --> 01:22:34.050]  I can do a lot of other things.
[01:22:35.270 --> 01:22:37.290]  Why is iClass so unstable?
[01:22:37.290 --> 01:22:37.910]  He's like, what do you mean?
[01:22:37.910 --> 01:22:38.810]  It works fine for me.
[01:22:38.810 --> 01:22:41.330]  I'm like, no, it's really bad.
[01:22:41.330 --> 01:22:43.570]  I don't know if you really appreciate how bad it is.
[01:22:44.250 --> 01:22:45.730]  It's unusable bad.
[01:22:46.730 --> 01:22:48.730]  And at some point,
[01:22:48.730 --> 01:22:52.270]  PeeWee made all these changes in the official repo,
[01:22:52.270 --> 01:22:53.930]  and all of a sudden it was rock solid,
[01:22:53.930 --> 01:22:56.070]  but, like, RRG was, like, still behind.
[01:22:56.070 --> 01:22:57.990]  And I'm like, oh, man, like,
[01:22:57.990 --> 01:23:00.210]  surely at some point it's going to be merged,
[01:23:00.210 --> 01:23:03.210]  but I didn't really appreciate how much work it was.
[01:23:03.230 --> 01:23:06.570]  So what I did is I tricked Iceman a little bit.
[01:23:06.590 --> 01:23:10.230]  I invited Iceman to participate in some of our trainings
[01:23:10.230 --> 01:23:13.850]  that we were doing for our professional pen testers.
[01:23:13.990 --> 01:23:15.890]  We were in classes.
[01:23:16.250 --> 01:23:17.730]  And just to watch.
[01:23:17.730 --> 01:23:22.810]  And he saw, he saw how bad the performance was.
[01:23:22.890 --> 01:23:24.990]  Again, not his fault.
[01:23:24.990 --> 01:23:26.530]  This is a community project.
[01:23:26.530 --> 01:23:28.210]  Everyone is doing their best.
[01:23:28.810 --> 01:23:30.790]  But that was, that was the thing,
[01:23:30.790 --> 01:23:32.510]  like a month and a half ago, right?
[01:23:32.510 --> 01:23:33.930]  That was in June.
[01:23:34.150 --> 01:23:35.970]  Where you're like...
[01:23:35.970 --> 01:23:36.970]  It was bad.
[01:23:37.630 --> 01:23:39.430]  Anyone who was in that June class,
[01:23:39.430 --> 01:23:40.550]  it was a solid class.
[01:23:40.550 --> 01:23:41.870]  But once we got to I-class,
[01:23:41.870 --> 01:23:43.350]  we hit a freaking brick wall
[01:23:43.350 --> 01:23:45.070]  because we just had a lot of trouble
[01:23:45.510 --> 01:23:46.970]  communicating with cards.
[01:23:47.330 --> 01:23:48.950]  You've been having that for years.
[01:23:48.950 --> 01:23:51.810]  The thing is, I use it at home.
[01:23:51.810 --> 01:23:52.970]  I have some credentials.
[01:23:52.970 --> 01:23:54.870]  It works. That's it.
[01:23:54.870 --> 01:23:56.410]  You don't do very much more with it.
[01:23:56.410 --> 01:23:57.550]  You don't need to.
[01:23:57.710 --> 01:23:59.430]  You dump some cards and look at it.
[01:23:59.430 --> 01:24:01.530]  It works.
[01:24:01.670 --> 01:24:03.910]  But for a class, for teaching,
[01:24:03.910 --> 01:24:05.130]  for using it on field,
[01:24:05.130 --> 01:24:07.550]  oh man, that sucks.
[01:24:08.390 --> 01:24:10.090]  So yeah, two months ago,
[01:24:10.090 --> 01:24:11.250]  let's say two months ago,
[01:24:11.250 --> 01:24:13.010]  because it started a little bit earlier
[01:24:13.010 --> 01:24:15.350]  and I came up to this.
[01:24:15.350 --> 01:24:16.830]  I decided finally...
[01:24:16.830 --> 01:24:18.570]  I didn't want to do it because I was actually
[01:24:18.570 --> 01:24:20.770]  supposed to do a high tech 2 code
[01:24:20.770 --> 01:24:22.390]  and then we made a release of this
[01:24:22.390 --> 01:24:24.750]  stable thing. Once that was in place,
[01:24:24.750 --> 01:24:26.550]  I could do other things
[01:24:26.550 --> 01:24:28.550]  and that would become merge hell.
[01:24:28.550 --> 01:24:30.470]  Meaning that the total changes
[01:24:30.470 --> 01:24:31.750]  that we've done for two years
[01:24:32.490 --> 01:24:35.850]  to be merged into the RG Iceman repo.
[01:24:35.890 --> 01:24:37.330]  Which is... yeah.
[01:24:37.330 --> 01:24:38.530]  The thing is, what I want to say,
[01:24:38.530 --> 01:24:39.570]  the most important part is that
[01:24:39.570 --> 01:24:41.930]  the I-class support that we made
[01:24:41.930 --> 01:24:43.590]  is rock solid.
[01:24:43.590 --> 01:24:44.610]  It's so good.
[01:24:45.750 --> 01:24:47.870]  Even if you use LibNFC now,
[01:24:47.870 --> 01:24:49.670]  you're going to go like, oh that's ugly.
[01:24:49.990 --> 01:24:52.170]  Bad compared to this.
[01:24:52.170 --> 01:24:53.130]  Next slide.
[01:24:53.590 --> 01:24:55.550]  Oops, sorry.
[01:24:56.290 --> 01:24:58.110]  And in true Proxmark form,
[01:24:58.110 --> 01:24:59.910]  by the way, fixing one thing broke
[01:24:59.910 --> 01:25:02.090]  another. So I-class
[01:25:02.090 --> 01:25:04.690]  support, rock solid.
[01:25:04.770 --> 01:25:06.710]  ISO 14b support,
[01:25:06.710 --> 01:25:08.190]  completely broken.
[01:25:08.290 --> 01:25:09.930]  Thankfully, not as many people
[01:25:09.930 --> 01:25:12.110]  use ISO 14b. I think I-class
[01:25:12.110 --> 01:25:13.750]  is more useful myself, but
[01:25:14.190 --> 01:25:16.210]  it's just whack-a-mole, right?
[01:25:16.610 --> 01:25:18.370]  Yeah, it's
[01:25:20.270 --> 01:25:20.710]  what's...
[01:25:21.170 --> 01:25:22.050]  God.
[01:25:22.530 --> 01:25:23.730]  I don't know what to say.
[01:25:23.730 --> 01:25:24.510]  Anyway.
[01:25:26.850 --> 01:25:27.990]  I know.
[01:25:27.990 --> 01:25:29.490]  We're on a timeline. I know, I know.
[01:25:29.490 --> 01:25:30.230]  Sorry.
[01:25:32.650 --> 01:25:34.330]  I'm trying to do this seriously.
[01:25:34.330 --> 01:25:35.490]  I know, I know.
[01:25:35.490 --> 01:25:36.810]  It's so hard.
[01:25:37.470 --> 01:25:38.970]  Okay, you made me lose my
[01:25:38.970 --> 01:25:39.810]  mind here.
[01:25:41.090 --> 01:25:42.430]  Two repos, yes.
[01:25:42.430 --> 01:25:43.910]  Two very different repos.
[01:25:47.370 --> 01:25:48.650]  Yes, two repos.
[01:25:48.650 --> 01:25:50.630]  Official repo and Iceman repo.
[01:25:50.890 --> 01:25:52.570]  It's separate a couple of years ago
[01:25:52.570 --> 01:25:54.570]  because we wanted to build the
[01:25:54.570 --> 01:25:56.310]  support for RG4 a little bit better
[01:25:56.310 --> 01:25:58.550]  and put some effort in. So it's a different way of
[01:25:58.550 --> 01:26:00.390]  using and thinking and using. Once you use
[01:26:00.390 --> 01:26:02.510]  RG, Iceman repo, you will see the
[01:26:02.510 --> 01:26:04.910]  difference and you feel the difference in it.
[01:26:04.910 --> 01:26:06.430]  It is what it is.
[01:26:06.630 --> 01:26:08.930]  Basically, the FPGA changes. This is an amazing
[01:26:08.930 --> 01:26:10.890]  thing because it's a huge feature that's coming
[01:26:10.890 --> 01:26:13.010]  out. The FPGA changes.
[01:26:13.110 --> 01:26:14.970]  You have a system here,
[01:26:14.970 --> 01:26:16.910]  you have a client on a PC, you have an ARM device
[01:26:16.910 --> 01:26:18.830]  and on it you have also an FPGA that
[01:26:18.830 --> 01:26:20.150]  talks to the ADC
[01:26:20.690 --> 01:26:22.510]  and do things. It's all
[01:26:22.510 --> 01:26:24.890]  programmable. It all had to change
[01:26:24.890 --> 01:26:26.750]  and PV made things and move
[01:26:26.750 --> 01:26:28.830]  IQ handling and stuff into the FPGA
[01:26:28.830 --> 01:26:31.190]  code. Since he did that,
[01:26:31.190 --> 01:26:32.850]  the thing is, the FPGA before
[01:26:32.850 --> 01:26:35.150]  did the ADC signal,
[01:26:35.150 --> 01:26:36.930]  send it to the ARM, ARM demodulated,
[01:26:36.930 --> 01:26:39.030]  sent it off to the client, the client did all the hard lifting.
[01:26:39.030 --> 01:26:40.930]  It did all the select the card, it did all the
[01:26:40.930 --> 01:26:42.830]  calculation of cryptos, calculation of MAC
[01:26:42.830 --> 01:26:45.450]  values when writing and everything like that.
[01:26:45.490 --> 01:26:46.850]  However, afterwards,
[01:26:47.590 --> 01:26:48.030]  FPGA
[01:26:48.590 --> 01:26:50.970]  took the signals, made IQ pairs of it
[01:26:50.970 --> 01:26:52.570]  and sent those to the ARM.
[01:26:52.710 --> 01:26:55.050]  ARM decoded that one much better because IQ's
[01:26:55.050 --> 01:26:56.890]  demodulation is super much better
[01:26:56.890 --> 01:26:59.470]  and stable. That's where that comes from.
[01:26:59.750 --> 01:27:01.050]  And then sent it all off
[01:27:01.050 --> 01:27:03.010]  to the client again, who still did the
[01:27:03.010 --> 01:27:05.490]  hard lifting. Next queue.
[01:27:08.170 --> 01:27:09.250]  And here
[01:27:09.250 --> 01:27:11.850]  is when things become funny.
[01:27:12.770 --> 01:27:13.370]  You did that
[01:27:13.370 --> 01:27:14.510]  and I didn't do that.
[01:27:15.390 --> 01:27:17.110]  And so,
[01:27:17.110 --> 01:27:19.210]  you talk with people, you talk
[01:27:19.210 --> 01:27:20.870]  with yourself and you talk with
[01:27:20.870 --> 01:27:23.390]  Bambach and you go like, hmm...
[01:27:23.390 --> 01:27:24.970]  So, we have rock solid
[01:27:24.970 --> 01:27:26.970]  demodulation of IQ class. What
[01:27:26.970 --> 01:27:28.430]  can we do now?
[01:27:29.370 --> 01:27:30.770]  And you know, it's a
[01:27:30.770 --> 01:27:32.510]  bouncing thing. I don't want to say who brought that
[01:27:32.510 --> 01:27:35.150]  in first because people have been saying these ideas for years.
[01:27:35.150 --> 01:27:36.650]  But, you know, with
[01:27:36.650 --> 01:27:38.510]  all this stuff, I'm like sitting here and I'm like
[01:27:39.170 --> 01:27:40.430]  thinking... We were talking about it at
[01:27:40.430 --> 01:27:43.290]  DEF CON last year. Yeah.
[01:27:43.290 --> 01:27:45.070]  Yeah. Yeah. Yeah. How about
[01:27:45.070 --> 01:27:46.610]  moving this crypto?
[01:27:46.610 --> 01:27:48.510]  How about, you know, do that to ARM, you know?
[01:27:48.510 --> 01:27:50.370]  And people are... I know I've even kept meeting
[01:27:50.370 --> 01:27:53.130]  and asked, why can't you get a nice class
[01:27:53.130 --> 01:27:55.190]  standalone mode? And I'm like,
[01:27:55.190 --> 01:27:55.990]  yeah, you know.
[01:27:55.990 --> 01:27:57.750]  It's not solid for demodulation
[01:27:57.750 --> 01:28:00.510]  and the crypto parts is also better.
[01:28:00.510 --> 01:28:02.390]  You know, I don't want to do that work.
[01:28:02.690 --> 01:28:03.990]  So, we do that stuff.
[01:28:03.990 --> 01:28:05.670]  So, we're like,
[01:28:05.670 --> 01:28:07.770]  how about we move it? Now,
[01:28:07.770 --> 01:28:09.710]  one part that Peavey did, he actually optimized
[01:28:09.710 --> 01:28:12.250]  the crypto so it went even faster.
[01:28:12.250 --> 01:28:14.010]  And that's needed when you simulate
[01:28:14.010 --> 01:28:15.770]  things on the device. You need
[01:28:15.770 --> 01:28:17.830]  speed. So, he did that.
[01:28:17.830 --> 01:28:19.670]  You know, shaving off milliseconds
[01:28:19.670 --> 01:28:22.150]  or microseconds, you know.
[01:28:22.610 --> 01:28:23.510]  So,
[01:28:23.510 --> 01:28:25.370]  I had to refactor the whole code
[01:28:25.370 --> 01:28:27.330]  because since before
[01:28:27.330 --> 01:28:28.990]  everything was in the client,
[01:28:29.270 --> 01:28:30.670]  move it all into the device
[01:28:31.650 --> 01:28:33.550]  and by doing that,
[01:28:33.550 --> 01:28:35.190]  you can call it achievement unlocked,
[01:28:35.190 --> 01:28:37.150]  we have full crypto and MAC generation
[01:28:37.150 --> 01:28:38.670]  on the device.
[01:28:39.170 --> 01:28:41.610]  Which is an amazing feature.
[01:28:41.870 --> 01:28:43.250]  It enables us
[01:28:43.250 --> 01:28:45.070]  to do more things. It took a whole
[01:28:45.070 --> 01:28:47.170]  remake because the whole flow of work is
[01:28:47.170 --> 01:28:48.390]  just different.
[01:28:48.950 --> 01:28:51.510]  Next thing that comes up,
[01:28:51.510 --> 01:28:53.470]  how about a stand-alone mode?
[01:28:53.470 --> 01:28:55.530]  Now that we can do these things here,
[01:28:55.530 --> 01:28:56.970]  how about that?
[01:28:57.070 --> 01:28:59.890]  Well, you know, how are we going to do the dumps?
[01:28:59.950 --> 01:29:01.590]  We have a flash
[01:29:01.590 --> 01:29:03.630]  memory on Rdb4, so let's do
[01:29:03.630 --> 01:29:05.510]  it like that. So, let's
[01:29:05.510 --> 01:29:07.310]  create a stand-alone mode which can
[01:29:07.310 --> 01:29:09.790]  talk iClass.
[01:29:10.990 --> 01:29:11.650]  Doable.
[01:29:11.650 --> 01:29:13.290]  Have to rework all the code again
[01:29:13.290 --> 01:29:15.470]  because make it work. And we actually
[01:29:15.470 --> 01:29:17.390]  achieved the very first iClass
[01:29:17.390 --> 01:29:19.070]  legacy simulation stand-alone mode
[01:29:19.070 --> 01:29:21.730]  one and a half month ago.
[01:29:22.690 --> 01:29:23.190]  Next
[01:29:23.190 --> 01:29:24.990]  question when you do this,
[01:29:24.990 --> 01:29:27.210]  just the bouncing ideas and you go like,
[01:29:27.210 --> 01:29:29.410]  what more can we do? Because we implemented
[01:29:29.410 --> 01:29:31.170]  all of this stuff in the client before.
[01:29:31.170 --> 01:29:32.990]  Can we push the limit?
[01:29:32.990 --> 01:29:35.130]  What more can we do? That would be cool.
[01:29:35.590 --> 01:29:37.190]  So, how about we
[01:29:37.190 --> 01:29:38.950]  do two more modes
[01:29:38.950 --> 01:29:40.630]  of the stand-alone modes
[01:29:40.630 --> 01:29:42.930]  where we now do
[01:29:42.930 --> 01:29:45.370]  reading and
[01:29:45.370 --> 01:29:47.210]  dumping. Read a tag,
[01:29:47.850 --> 01:29:49.190]  proxmark act as a reader
[01:29:49.190 --> 01:29:51.510]  and store the credential.
[01:29:51.770 --> 01:29:53.330]  And the next one is
[01:29:54.490 --> 01:29:55.550]  elite reader.
[01:29:55.550 --> 01:29:57.670]  Do the sim2 attack.
[01:29:57.770 --> 01:29:59.570]  It's a simple one in that sense.
[01:30:00.130 --> 01:30:00.650]  And
[01:30:01.210 --> 01:30:03.650]  achieve that as well. Too much is amazing.
[01:30:03.650 --> 01:30:04.870]  We have three in one.
[01:30:05.610 --> 01:30:07.470]  We were not quite done
[01:30:07.470 --> 01:30:09.210]  yet. And here's the next talk
[01:30:09.210 --> 01:30:11.090]  with Babak. We said this
[01:30:11.090 --> 01:30:13.210]  and he goes like, hey,
[01:30:13.210 --> 01:30:15.450]  do you
[01:30:15.450 --> 01:30:17.270]  remember my
[01:30:17.270 --> 01:30:18.750]  config card glitch attack?
[01:30:18.750 --> 01:30:21.330]  I want to clarify. This is not my
[01:30:21.330 --> 01:30:22.650]  attack. This was
[01:30:23.210 --> 01:30:24.210]  true.
[01:30:24.970 --> 01:30:27.390]  You showed it to me and you demonstrated it in your trainings
[01:30:27.390 --> 01:30:29.290]  and all that stuff. So, I called
[01:30:29.290 --> 01:30:30.950]  you in the context of
[01:30:30.950 --> 01:30:32.890]  where we were.
[01:30:33.010 --> 01:30:35.090]  But you had it.
[01:30:35.090 --> 01:30:36.490]  It's your baby.
[01:30:36.610 --> 01:30:38.250]  So, I'm like, yeah.
[01:30:38.770 --> 01:30:41.730]  We have a config card glitch attack.
[01:30:41.730 --> 01:30:43.590]  Okay, so what is that
[01:30:43.590 --> 01:30:45.630]  then? How does that work?
[01:30:46.250 --> 01:30:47.870]  Yeah, basically you simulate
[01:30:47.870 --> 01:30:49.710]  one, you present one card and then you
[01:30:49.710 --> 01:30:51.870]  present another card and Babak will demonstrate
[01:30:51.870 --> 01:30:53.730]  all this stuff pretty soon.
[01:30:53.750 --> 01:30:55.770]  So, I have to refactor all things again
[01:30:55.770 --> 01:30:57.290]  and do that. And then do that to
[01:30:57.290 --> 01:30:59.670]  standalone mode. We achieve
[01:30:59.670 --> 01:31:01.930]  another thing unlocked and we now have a
[01:31:01.930 --> 01:31:04.750]  first ever implementation of a glitching config attack
[01:31:04.910 --> 01:31:05.790]  in a standalone mode
[01:31:05.790 --> 01:31:07.730]  for Poxbox. And we call this
[01:31:07.730 --> 01:31:09.390]  standalone mode HF Ice Class
[01:31:09.390 --> 01:31:11.670]  because we really love the way
[01:31:11.670 --> 01:31:13.610]  naming things. Instead of
[01:31:13.610 --> 01:31:15.470]  I-Class, we call it Ice Class.
[01:31:15.470 --> 01:31:16.550]  Because of me.
[01:31:17.570 --> 01:31:19.490]  However, this little mode only
[01:31:19.490 --> 01:31:21.290]  works on Proxmox AutoV4.
[01:31:21.290 --> 01:31:23.030]  It saves files to
[01:31:25.250 --> 01:31:25.750]  the
[01:31:26.930 --> 01:31:27.690]  on-board
[01:31:27.690 --> 01:31:29.610]  store memory, which will look like this.
[01:31:29.610 --> 01:31:31.370]  I will explain the four
[01:31:31.370 --> 01:31:33.450]  different modes. Basically, you
[01:31:33.450 --> 01:31:35.510]  upload, you have a dump of your credential before.
[01:31:35.510 --> 01:31:37.190]  You talked about secure storage. You dump it
[01:31:37.190 --> 01:31:39.250]  with Proxmox. You read it off.
[01:31:39.490 --> 01:31:40.990]  You send it up to the
[01:31:40.990 --> 01:31:43.170]  flash memory and then you just start
[01:31:43.170 --> 01:31:45.770]  the standalone mode and it simulates it.
[01:31:45.770 --> 01:31:47.270]  It keeps on simulating just before
[01:31:47.270 --> 01:31:48.710]  but it's a complete standalone.
[01:31:48.850 --> 01:31:51.330]  You press the button to exit and then
[01:31:51.330 --> 01:31:53.290]  it saves a copy of that emulated
[01:31:53.290 --> 01:31:55.250]  memory. So you have, as you see,
[01:31:55.250 --> 01:31:57.310]  you have the original bin that you were simulating
[01:31:57.310 --> 01:31:58.930]  the dump and then you have a modified
[01:31:58.930 --> 01:32:01.090]  so you can see what the reader
[01:32:01.090 --> 01:32:03.230]  did to update it or if it did any
[01:32:03.230 --> 01:32:05.290]  updates to it. Usually the EPRS of course
[01:32:05.290 --> 01:32:07.330]  but it could have changed the PACS data.
[01:32:07.670 --> 01:32:09.510]  So it's a good thing to have.
[01:32:10.130 --> 01:32:11.070]  Next.
[01:32:12.790 --> 01:32:13.350]  The
[01:32:13.350 --> 01:32:15.330]  reader attack is based on
[01:32:15.330 --> 01:32:17.610]  the elite recovery attack.
[01:32:17.610 --> 01:32:19.450]  It's a two-phase attack which you need
[01:32:19.450 --> 01:32:21.350]  the online part where you send
[01:32:21.350 --> 01:32:23.310]  and emulate some CSM and you
[01:32:23.310 --> 01:32:25.370]  recover that data,
[01:32:25.370 --> 01:32:26.650]  store it to a file.
[01:32:27.370 --> 01:32:29.510]  And it's a very simple one.
[01:32:30.010 --> 01:32:31.230]  Since you have the simulation
[01:32:31.230 --> 01:32:33.210]  in place, it's very simple to do.
[01:32:33.210 --> 01:32:34.790]  So as you say that
[01:32:34.790 --> 01:32:37.070]  you want to do this attack, you put
[01:32:37.070 --> 01:32:38.790]  the CSM on there and you
[01:32:39.350 --> 01:32:41.190]  present this to an elite configured
[01:32:41.190 --> 01:32:43.030]  reader and it collects the data
[01:32:43.030 --> 01:32:44.970]  very fast and it quits the
[01:32:44.970 --> 01:32:46.690]  standalone mode and you can go to the next
[01:32:47.230 --> 01:32:48.970]  reader and do the same thing. Start
[01:32:48.970 --> 01:32:50.810]  the standalone mode and collect this data from those
[01:32:50.810 --> 01:32:52.890]  and do that over and over again. Then
[01:32:52.890 --> 01:32:55.090]  you go home and you download it from the memory
[01:32:55.090 --> 01:32:56.950]  of the Proxmox and
[01:32:56.950 --> 01:32:58.830]  you run the low-class attack and we collect the data
[01:32:58.830 --> 01:33:00.230]  and recover the key.
[01:33:00.230 --> 01:33:02.230]  Super simple, all of a sudden
[01:33:02.230 --> 01:33:04.310]  very much more useful for pen tests
[01:33:04.310 --> 01:33:06.570]  and all that other stuff. Fun attacks!
[01:33:08.450 --> 01:33:10.590]  The third one is a read and dump.
[01:33:10.670 --> 01:33:12.330]  It's just a plain simple one
[01:33:12.330 --> 01:33:13.510]  for people you want to see
[01:33:13.510 --> 01:33:15.910]  go on snooping things credentialed
[01:33:15.910 --> 01:33:18.330]  secretly on the toilet, what I've seen someone do
[01:33:18.330 --> 01:33:20.210]  with these major antennas. Now you
[01:33:20.210 --> 01:33:22.170]  can do it with your large HF antenna
[01:33:22.170 --> 01:33:24.270]  or battery and you just present
[01:33:24.270 --> 01:33:25.230]  it and it just
[01:33:25.730 --> 01:33:28.150]  you start it and it starts reading and it starts dumping
[01:33:28.150 --> 01:33:29.530]  and you press the button to quit it
[01:33:29.530 --> 01:33:31.590]  and it saves all the dumps it finds
[01:33:31.590 --> 01:33:33.990]  it saves it to the flash
[01:33:33.990 --> 01:33:36.150]  memory. As you see here, it has two cards
[01:33:36.150 --> 01:33:38.150]  I presented to it. It goes kind of fast, it takes
[01:33:38.870 --> 01:33:40.610]  a quarter of a second to do it.
[01:33:40.730 --> 01:33:41.930]  And the glitch and config
[01:33:42.350 --> 01:33:44.110]  card... We'll just do a live demo.
[01:33:44.810 --> 01:33:45.850]  Yeah, yeah, yeah.
[01:33:45.990 --> 01:33:47.250]  We'll do a live demo, yeah.
[01:33:47.530 --> 01:33:49.690]  So for glitch and config, what I was
[01:33:50.670 --> 01:33:52.030]  explaining before I really cut
[01:33:52.030 --> 01:33:54.210]  him off, is that
[01:33:54.210 --> 01:33:56.150]  the short version behind the
[01:33:56.150 --> 01:33:57.950]  glitch is that there
[01:33:57.950 --> 01:34:00.230]  was in two of the most
[01:34:00.230 --> 01:34:01.590]  popular versions of firmware
[01:34:02.150 --> 01:34:04.250]  of legacy iClass
[01:34:04.250 --> 01:34:06.230]  readers, there was a bug in the
[01:34:06.230 --> 01:34:08.110]  firmware that if the
[01:34:08.110 --> 01:34:10.150]  card was programmed a certain way
[01:34:10.150 --> 01:34:12.310]  the card misbehaved, the reader
[01:34:12.310 --> 01:34:13.950]  would lock up, get
[01:34:13.950 --> 01:34:15.990]  confused, and then a watchdog
[01:34:15.990 --> 01:34:18.410]  timer would kick in and reboot the reader.
[01:34:18.410 --> 01:34:19.950]  Normally it's not a big deal.
[01:34:19.950 --> 01:34:22.050]  Reader reboots still works, no problem.
[01:34:22.050 --> 01:34:23.990]  However, once you remember that
[01:34:23.990 --> 01:34:26.110]  configuration cards can only be used
[01:34:26.110 --> 01:34:28.190]  right after the reader boots up,
[01:34:28.190 --> 01:34:29.930]  now you have an
[01:34:29.930 --> 01:34:31.830]  attack chain that you can use to
[01:34:31.830 --> 01:34:33.950]  reconfigure the reader without ever actually
[01:34:33.950 --> 01:34:35.690]  taking the reader off the wall.
[01:34:35.690 --> 01:34:38.090]  And we're going to do a demo of some of the things that you can do
[01:34:38.090 --> 01:34:39.870]  with that. So now we have
[01:34:39.870 --> 01:34:42.230]  30 minutes for live demos. We're going to go
[01:34:44.090 --> 01:34:44.710]  very,
[01:34:44.710 --> 01:34:46.090]  very, very fast.
[01:34:46.090 --> 01:34:47.930]  As fast as I reasonably can.
[01:34:48.350 --> 01:34:49.950]  We worked hard to make this happen
[01:34:49.950 --> 01:34:52.190]  for them. You have to understand
[01:34:52.830 --> 01:34:55.050]  it's been two long months.
[01:34:55.050 --> 01:34:56.330]  So, I'm going to go fast
[01:34:56.330 --> 01:34:57.150]  because
[01:34:58.190 --> 01:35:00.350]  RF Hacker Sanctuary
[01:35:00.350 --> 01:35:01.790]  is going to kick us off
[01:35:01.790 --> 01:35:04.390]  in half an hour sharp.
[01:35:04.870 --> 01:35:06.410]  So, we can talk about
[01:35:06.410 --> 01:35:08.410]  this more later in the Discord channel
[01:35:08.410 --> 01:35:10.150]  or elsewhere. So,
[01:35:10.150 --> 01:35:12.130]  first thing we're going to do, we're going to talk about that
[01:35:12.130 --> 01:35:14.230]  tech downgrade attack that I
[01:35:14.230 --> 01:35:16.310]  was talking about. So, for example
[01:35:16.930 --> 01:35:18.350]  we're going to take
[01:35:18.350 --> 01:35:18.870]  this reader
[01:35:19.430 --> 01:35:21.190]  we had before.
[01:35:27.810 --> 01:35:28.850]  It's been
[01:35:28.850 --> 01:35:30.910]  an intensive month for us to
[01:35:30.910 --> 01:35:32.830]  do this and we're really psyched to show you off
[01:35:32.830 --> 01:35:34.810]  all of this stuff actually. I did not get
[01:35:34.810 --> 01:35:37.290]  much sleep. Alright.
[01:35:37.650 --> 01:35:38.970]  So, we have this reader
[01:35:38.970 --> 01:35:41.250]  and if you recall,
[01:35:41.250 --> 01:35:42.990]  that reader reads
[01:35:42.990 --> 01:35:45.610]  multiple credential technologies.
[01:35:45.610 --> 01:35:46.650]  So, it reads
[01:35:46.650 --> 01:35:48.110]  Prox.
[01:35:48.490 --> 01:35:50.810]  It reads Indala.
[01:35:51.730 --> 01:35:52.810]  This one
[01:35:52.810 --> 01:35:54.290]  also, you know, it reads
[01:35:54.290 --> 01:35:56.570]  I-Class.
[01:35:56.570 --> 01:35:58.530]  And it also reads
[01:35:58.530 --> 01:36:01.010]  SEOS. I have a
[01:36:01.010 --> 01:36:02.790]  SEOS card here.
[01:36:02.790 --> 01:36:06.530]  He's actually a Desfire card.
[01:36:06.530 --> 01:36:07.310]  Right.
[01:36:07.310 --> 01:36:08.850]  And here is a
[01:36:09.970 --> 01:36:12.210]  SEOS card here.
[01:36:12.210 --> 01:36:13.270]  For you who don't
[01:36:13.270 --> 01:36:14.530]  understand this, this is a very
[01:36:14.530 --> 01:36:16.050]  amazing reader.
[01:36:17.470 --> 01:36:18.630]  So, what we're
[01:36:18.630 --> 01:36:20.870]  going to do is show you
[01:36:20.870 --> 01:36:22.710]  how to take a
[01:36:23.150 --> 01:36:25.050]  secure credential that we don't know how to talk to
[01:36:25.050 --> 01:36:26.930]  and copy it to a weaker
[01:36:26.930 --> 01:36:28.770]  credential technology. So,
[01:36:28.770 --> 01:36:30.990]  we're going to start with, right now this is
[01:36:30.990 --> 01:36:32.990]  blank, so it does nothing. We'll set that right
[01:36:32.990 --> 01:36:35.490]  next to the reader. And
[01:36:35.490 --> 01:36:36.870]  by way of example, what we're
[01:36:36.870 --> 01:36:38.530]  going to do is we're going to grab
[01:36:39.410 --> 01:36:41.310]  we're going to start with, we're going to pick
[01:36:41.310 --> 01:36:42.570]  on Desfire. Actually,
[01:36:42.570 --> 01:36:44.450]  yeah. So, we have two cards
[01:36:44.450 --> 01:36:46.510]  here. We have Desfire Evolution
[01:36:46.510 --> 01:36:48.570]  1 and an example of a SEOS card.
[01:36:48.570 --> 01:36:50.390]  There's nothing special about these cards. They were
[01:36:50.390 --> 01:36:51.750]  ordered through a regular
[01:36:52.330 --> 01:36:54.450]  supplier. This is a regular, you know, customer
[01:36:54.450 --> 01:36:56.490]  card. And
[01:36:56.490 --> 01:36:58.510]  they work with the system.
[01:36:59.890 --> 01:37:00.570]  So, that's
[01:37:00.570 --> 01:37:02.910]  one card. That's the other card.
[01:37:02.950 --> 01:37:04.370]  And so, if you are an
[01:37:04.370 --> 01:37:06.550]  attacker, you might think, okay, the first thing I'm
[01:37:06.550 --> 01:37:08.490]  going to do is I'm going to go to my Proxmark
[01:37:09.470 --> 01:37:10.450]  and I'm going to switch
[01:37:10.450 --> 01:37:12.310]  here. There we go. So, I'm going to go to my
[01:37:12.310 --> 01:37:14.090]  Proxmark. I'm going to type in
[01:37:14.090 --> 01:37:16.630]  hfsearch and oh,
[01:37:16.630 --> 01:37:18.250]  crap. It's, you know,
[01:37:18.250 --> 01:37:19.230]  some sort of
[01:37:20.590 --> 01:37:21.830]  oh, that's right. This is
[01:37:21.830 --> 01:37:24.730]  this card emulates multiple technologies.
[01:37:24.850 --> 01:37:26.250]  So, okay. This is a 14a
[01:37:26.250 --> 01:37:28.110]  card that
[01:37:28.110 --> 01:37:30.350]  rather, it's a Java card that
[01:37:30.350 --> 01:37:32.290]  uses 14a commands to communicate.
[01:37:32.290 --> 01:37:34.470]  Short version, we don't know how to talk to
[01:37:34.470 --> 01:37:36.630]  it. Here's a
[01:37:36.630 --> 01:37:37.550]  Desfire credential.
[01:37:41.720 --> 01:37:42.680]  There's a Desfire
[01:37:42.680 --> 01:37:44.560]  card. Again, we don't
[01:37:44.560 --> 01:37:46.620]  know the keys. We don't know how to
[01:37:46.620 --> 01:37:48.900]  read the data off of these cards.
[01:37:48.900 --> 01:37:50.940]  But the reader does, right?
[01:37:50.940 --> 01:37:52.480]  So, what I can do
[01:37:52.480 --> 01:37:54.600]  is I can take this reader, and
[01:37:54.600 --> 01:37:56.120]  remember, this special reader
[01:37:56.120 --> 01:37:58.680]  is showing me, because
[01:37:58.680 --> 01:38:00.620]  of this little add-on here, it's showing
[01:38:00.620 --> 01:38:02.560]  me the WeGand data that's on that
[01:38:02.560 --> 01:38:04.820]  reader. So, what I can do
[01:38:04.820 --> 01:38:06.420]  is I can say,
[01:38:06.420 --> 01:38:08.780]  take this CEOS card.
[01:38:09.480 --> 01:38:10.740]  I can read it,
[01:38:10.740 --> 01:38:12.740]  and I can see, oh, that WeGand
[01:38:12.740 --> 01:38:14.320]  data is 2547
[01:38:15.220 --> 01:38:16.340]  E76.
[01:38:18.400 --> 01:38:19.140]  So,
[01:38:19.140 --> 01:38:20.280]  we're going to come back here
[01:38:21.120 --> 01:38:22.800]  to DopePad.
[01:38:29.660 --> 01:38:30.700]  So, I'm
[01:38:30.700 --> 01:38:32.920]  going to type it again. Pardon me.
[01:38:33.520 --> 01:38:34.400]  So, this is
[01:38:34.400 --> 01:38:35.420]  2547
[01:38:37.520 --> 01:38:38.080]  Echo
[01:38:38.480 --> 01:38:39.320]  76.
[01:38:42.780 --> 01:38:44.520]  And I'm going to convert that
[01:38:45.320 --> 01:38:45.820]  to
[01:38:47.460 --> 01:38:48.460]  binary.
[01:38:48.540 --> 01:38:49.040]  Whoops.
[01:38:50.820 --> 01:38:52.260]  There we go.
[01:38:56.450 --> 01:38:56.950]  And
[01:38:56.950 --> 01:38:59.150]  let me just make sure that we have
[01:39:00.110 --> 01:39:01.530]  26 bits.
[01:39:01.530 --> 01:39:02.810]  We do. Good.
[01:39:02.890 --> 01:39:04.730]  The next thing that I'm going to kind of gloss over
[01:39:04.730 --> 01:39:06.690]  here, those of you who are
[01:39:06.690 --> 01:39:09.110]  familiar with the Proxmark and know Prox,
[01:39:09.110 --> 01:39:11.230]  Prox credentials have a
[01:39:11.890 --> 01:39:13.670]  preamble that is necessary
[01:39:13.670 --> 01:39:15.290]  to use when programming it with the Proxmark.
[01:39:15.290 --> 01:39:17.330]  So, that's what I'm doing here. What I've done is
[01:39:17.330 --> 01:39:19.010]  I've just added this preamble
[01:39:19.010 --> 01:39:20.990]  that the Proxmark client requires
[01:39:20.990 --> 01:39:23.430]  in order to encode Prox credentials.
[01:39:23.730 --> 01:39:25.170]  And I'm going to take this string
[01:39:26.270 --> 01:39:27.190]  and I'm going
[01:39:27.190 --> 01:39:29.130]  to encode it back into
[01:39:29.130 --> 01:39:31.210]  hex. So, the
[01:39:31.210 --> 01:39:32.930]  hex value that we're going to write in our
[01:39:32.930 --> 01:39:34.750]  Proxmark client is this, this
[01:39:36.550 --> 01:39:37.070]  2006547
[01:39:37.070 --> 01:39:39.090]  Echo 76. So,
[01:39:39.090 --> 01:39:41.170]  now, we're going to pop back over to our
[01:39:41.170 --> 01:39:43.190]  Proxmark client, and we're going
[01:39:43.190 --> 01:39:45.030]  to take this low frequency
[01:39:45.770 --> 01:39:46.350]  T5577
[01:39:48.170 --> 01:39:48.750]  and
[01:39:48.750 --> 01:39:51.230]  there we go, fit on camera there
[01:39:51.230 --> 01:39:52.930]  and we'll run LF
[01:39:52.930 --> 01:39:53.830]  HID clone
[01:39:55.030 --> 01:39:56.650]  and then this new value
[01:39:58.430 --> 01:39:59.190]  and then
[01:39:59.190 --> 01:40:01.270]  I'll double check my work to make sure
[01:40:01.270 --> 01:40:02.810]  it's there.
[01:40:03.190 --> 01:40:05.530]  Yep, that's there. So,
[01:40:05.530 --> 01:40:07.370]  if I did this correctly,
[01:40:07.370 --> 01:40:09.270]  now, these two cards
[01:40:09.270 --> 01:40:11.350]  should be the same. So, let's switch
[01:40:11.350 --> 01:40:13.410]  back to our BigView camera
[01:40:17.550 --> 01:40:18.030]  and
[01:40:18.030 --> 01:40:19.970]  I'm going to... I know you can't see the top
[01:40:19.970 --> 01:40:21.690]  of the reader, but that's okay. So, here's our
[01:40:21.690 --> 01:40:24.130]  original credential.
[01:40:24.490 --> 01:40:25.710]  There's our WGAN data,
[01:40:25.710 --> 01:40:27.910]  2547 Echo 76. Let's
[01:40:27.910 --> 01:40:29.590]  go ahead and try our
[01:40:29.590 --> 01:40:30.730]  Prox card.
[01:40:32.150 --> 01:40:34.230]  Same data, 2547
[01:40:34.230 --> 01:40:36.070]  Echo 76.
[01:40:36.270 --> 01:40:37.870]  This is the data that the door
[01:40:37.870 --> 01:40:39.790]  controller is seeing. So, what that
[01:40:39.790 --> 01:40:41.790]  means is that right now, as far as the
[01:40:41.790 --> 01:40:43.770]  door controller is concerned,
[01:40:43.770 --> 01:40:45.750]  this very, very secure and
[01:40:45.750 --> 01:40:47.070]  much more expensive credential
[01:40:47.590 --> 01:40:49.510]  is equivalent in security
[01:40:49.510 --> 01:40:51.650]  access in all things to this
[01:40:51.650 --> 01:40:53.870]  one. And it's only because
[01:40:54.730 --> 01:40:55.670]  this reader
[01:40:55.670 --> 01:40:57.550]  was left in transition mode.
[01:40:57.550 --> 01:40:59.710]  It was left in the mode that allows it to
[01:40:59.710 --> 01:41:01.490]  read other, more secure
[01:41:01.490 --> 01:41:03.650]  credential types that we do know
[01:41:03.650 --> 01:41:05.630]  how to talk to. So, even when we're
[01:41:05.630 --> 01:41:07.570]  dealing with secure credentials,
[01:41:07.570 --> 01:41:09.950]  as it relates to access control,
[01:41:09.950 --> 01:41:11.790]  sometimes we can find other ways
[01:41:11.790 --> 01:41:13.810]  of re-encoding that credential data
[01:41:13.810 --> 01:41:16.010]  onto something else and making it work
[01:41:16.010 --> 01:41:17.330]  with the reader.
[01:41:18.810 --> 01:41:20.170]  So,
[01:41:20.170 --> 01:41:22.730]  same demo, super fast,
[01:41:22.730 --> 01:41:24.330]  with DESFire.
[01:41:24.330 --> 01:41:26.170]  So, here is...
[01:41:26.170 --> 01:41:28.450]  here's our DESFire credential.
[01:41:28.970 --> 01:41:29.810]  This has
[01:41:29.810 --> 01:41:32.070]  different WGAN data. This one is
[01:41:32.070 --> 01:41:33.750]  1 Bravo 5 Delta
[01:41:33.750 --> 01:41:35.490]  Bravo 6 Delta.
[01:41:35.650 --> 01:41:37.950]  And we're going to switch back to
[01:41:37.950 --> 01:41:40.030]  our notepad here.
[01:41:41.450 --> 01:41:42.010]  And
[01:41:42.010 --> 01:41:44.370]  we're going to run through this super quick.
[01:41:44.430 --> 01:41:46.570]  So, we'll just delete all this.
[01:41:46.570 --> 01:41:48.090]  So, now we're going to do this credential.
[01:41:48.090 --> 01:41:48.610]  We're going to do
[01:41:50.350 --> 01:41:52.430]  1 Bravo 5
[01:41:53.370 --> 01:41:53.930]  Delta
[01:41:53.930 --> 01:41:55.870]  Bravo 6 Delta.
[01:41:56.990 --> 01:41:57.950]  And we're going to
[01:41:57.950 --> 01:41:59.890]  copy that. We're going to
[01:41:59.890 --> 01:42:00.630]  convert that
[01:42:02.330 --> 01:42:03.650]  to WGAN.
[01:42:05.250 --> 01:42:06.090]  And it looks
[01:42:06.090 --> 01:42:07.970]  like it dropped a leading zero, so we're going to
[01:42:07.970 --> 01:42:09.790]  add that back in. I only saw
[01:42:09.790 --> 01:42:11.230]  25 bits.
[01:42:12.030 --> 01:42:14.330]  And we're also going to add our
[01:42:15.050 --> 01:42:16.090]  prox preamble
[01:42:18.650 --> 01:42:19.570]  here.
[01:42:20.710 --> 01:42:22.110]  And then we're going to convert
[01:42:22.110 --> 01:42:22.550]  that
[01:42:23.970 --> 01:42:25.410]  back to weekend.
[01:42:25.730 --> 01:42:27.750]  Sorry, back to the format that the
[01:42:27.750 --> 01:42:30.050]  proxmark3 is going to expect.
[01:42:30.590 --> 01:42:32.050]  And, again,
[01:42:32.050 --> 01:42:33.750]  we're going to do the same thing.
[01:42:33.750 --> 01:42:34.610]  We're going to take
[01:42:37.490 --> 01:42:39.570]  our proxmark,
[01:42:41.900 --> 01:42:43.400]  run
[01:42:43.400 --> 01:42:45.340]  lf.hid.clone
[01:42:45.860 --> 01:42:47.680]  and then this value.
[01:42:47.680 --> 01:42:49.540]  Make sure it wrote.
[01:42:49.820 --> 01:42:52.240]  Looks good. Let's try it.
[01:42:53.780 --> 01:42:56.280]  So, switching back here.
[01:42:57.900 --> 01:43:00.480]  Here's our DESFire credential.
[01:43:00.520 --> 01:43:01.160]  We have
[01:43:01.160 --> 01:43:03.560]  1 Bravo 5 Delta Bravo 6 Delta
[01:43:03.560 --> 01:43:05.420]  access granted. Here's our prox
[01:43:05.420 --> 01:43:06.460]  credential.
[01:43:07.120 --> 01:43:09.320]  Same credential. 1 Bravo 5
[01:43:09.320 --> 01:43:11.640]  Delta Bravo 6 Delta. So, again,
[01:43:11.640 --> 01:43:13.540]  two different examples, different
[01:43:13.540 --> 01:43:15.500]  card technologies completely, right? We did
[01:43:15.500 --> 01:43:17.460]  not crack DESFire. We did not crack
[01:43:17.460 --> 01:43:19.380]  CEOS. What we did is we took
[01:43:19.380 --> 01:43:21.420]  advantage of a configuration in
[01:43:21.420 --> 01:43:23.400]  the system that was not changed
[01:43:23.400 --> 01:43:25.160]  after the transition or the migration
[01:43:25.160 --> 01:43:27.360]  was complete. So, that's the
[01:43:27.360 --> 01:43:29.240]  entire concept behind a technology
[01:43:29.240 --> 01:43:31.280]  downgrade attack. It's something that
[01:43:31.280 --> 01:43:33.200]  not everyone really thinks about very often
[01:43:33.200 --> 01:43:35.300]  and it's crucial to be aware of as
[01:43:35.300 --> 01:43:37.520]  customers, as integrators, as installers
[01:43:37.520 --> 01:43:39.300]  in defending the system because
[01:43:39.300 --> 01:43:41.220]  it really undermines the security
[01:43:41.220 --> 01:43:42.720]  of the system otherwise.
[01:43:43.760 --> 01:43:44.780]  All right.
[01:43:44.960 --> 01:43:47.280]  So, now we're going to move on to...
[01:43:52.440 --> 01:43:53.480]  Let's do...
[01:43:53.480 --> 01:43:55.620]  Let me just show config cards, actually,
[01:43:55.620 --> 01:43:57.620]  because it's related. So, let's say...
[01:43:57.620 --> 01:43:59.300]  Let's say, like, okay,
[01:43:59.300 --> 01:44:00.920]  well, you know what? We disabled
[01:44:00.920 --> 01:44:03.380]  those old credentials. So, we're fine.
[01:44:03.380 --> 01:44:05.360]  So, we're secure, right? So, actually,
[01:44:05.360 --> 01:44:06.160]  I'm going to take
[01:44:07.040 --> 01:44:08.620]  this reader off.
[01:44:08.820 --> 01:44:10.520]  I have a different reader.
[01:44:13.760 --> 01:44:15.600]  And I pre-baked a
[01:44:15.600 --> 01:44:28.200]  cake already. Yes, correct.
[01:44:28.200 --> 01:44:29.700]  All right.
[01:44:29.700 --> 01:44:31.300]  So, here we have a different
[01:44:31.300 --> 01:44:33.040]  reader. And right off the bat, what we're going to
[01:44:33.040 --> 01:44:35.120]  notice is it says multi-class.
[01:44:35.120 --> 01:44:37.240]  It says that it's a migration or a transition
[01:44:37.240 --> 01:44:38.740]  reader, but it doesn't read
[01:44:38.740 --> 01:44:40.880]  prox. It
[01:44:40.880 --> 01:44:43.400]  doesn't read, if I present it, a
[01:44:44.380 --> 01:44:45.340]  regular iClass
[01:44:45.340 --> 01:44:47.500]  card. Let's see here. I forgot.
[01:44:47.500 --> 01:44:49.520]  So, here's my regular iClass card.
[01:44:49.520 --> 01:44:51.320]  It doesn't read that either.
[01:44:51.320 --> 01:44:54.600]  It will, however,
[01:44:54.600 --> 01:44:56.320]  read CEOS.
[01:44:56.320 --> 01:44:57.420]  Okay? So, right
[01:44:57.420 --> 01:44:59.220]  now, we're like, great. This is a secure
[01:44:59.220 --> 01:45:01.420]  reader, right? We're set. However,
[01:45:01.420 --> 01:45:03.340]  remember, configuration cards can
[01:45:03.340 --> 01:45:05.220]  change the behavior of the reader.
[01:45:05.220 --> 01:45:07.400]  So, now we have a reader that only supports
[01:45:07.400 --> 01:45:08.600]  CEOS, but
[01:45:09.920 --> 01:45:11.340]  what we can do is
[01:45:11.340 --> 01:45:12.220]  we can use
[01:45:15.000 --> 01:45:15.280]  a different
[01:45:15.280 --> 01:45:16.340]  configuration card
[01:45:17.260 --> 01:45:19.080]  to re-enable those legacy
[01:45:19.080 --> 01:45:21.700]  credentials. So, I'm going to power cycle the reader.
[01:45:23.340 --> 01:45:24.900]  I'm going to present the configuration
[01:45:25.200 --> 01:45:27.600]  card to re-enable legacy credentials.
[01:45:28.260 --> 01:45:29.420]  It's going to take a
[01:45:29.420 --> 01:45:31.260]  couple of seconds as it reads that data off
[01:45:31.260 --> 01:45:33.260]  the card. And these are standard
[01:45:33.260 --> 01:45:35.200]  parts, to be clear. This is not
[01:45:35.200 --> 01:45:37.120]  an exploit. This is using
[01:45:37.120 --> 01:45:39.080]  design-intended functionality
[01:45:39.080 --> 01:45:41.260]  that is available to any customer, right? So, these
[01:45:41.260 --> 01:45:43.640]  are cards that can be ordered by customers,
[01:45:44.000 --> 01:45:45.280]  by integrators.
[01:45:45.540 --> 01:45:47.140]  And now, if that card worked
[01:45:47.140 --> 01:45:49.240]  correctly, what we're going to see is
[01:45:49.240 --> 01:45:51.040]  there's my PROX,
[01:45:51.040 --> 01:45:53.020]  right? There's my
[01:45:53.020 --> 01:45:54.960]  iClass. It all comes back.
[01:45:55.500 --> 01:45:56.980]  So, that is
[01:45:56.980 --> 01:45:59.040]  something to be mindful of.
[01:45:59.040 --> 01:46:01.160]  Being able to take the reader off the wall
[01:46:01.160 --> 01:46:03.100]  and power cycle it, if you're not monitoring
[01:46:03.100 --> 01:46:04.560]  for that, that can
[01:46:05.220 --> 01:46:07.240]  be a huge gap in the
[01:46:07.240 --> 01:46:08.920]  system's security. Because
[01:46:08.920 --> 01:46:10.360]  older, more secure
[01:46:10.980 --> 01:46:12.120]  credential technologies
[01:46:13.020 --> 01:46:15.480]  might be re-enabled in the reader.
[01:46:15.480 --> 01:46:16.820]  And then, someone can just
[01:46:16.820 --> 01:46:19.100]  take one of those readers that can read your
[01:46:19.100 --> 01:46:21.180]  secure credentials and then convert
[01:46:21.180 --> 01:46:23.540]  that weekend data to work off of a
[01:46:23.540 --> 01:46:25.140]  card that you can easily
[01:46:25.140 --> 01:46:27.060]  read and write with a PROXmark or any
[01:46:27.060 --> 01:46:27.980]  other tool.
[01:46:28.900 --> 01:46:31.420]  So, that attack, again,
[01:46:32.520 --> 01:46:33.040]  is...
[01:46:33.040 --> 01:46:35.140]  I don't consider it an exploit.
[01:46:35.140 --> 01:46:37.060]  I consider it taking advantage of
[01:46:37.060 --> 01:46:38.940]  misconfiguration, taking advantage
[01:46:38.940 --> 01:46:41.220]  of how the system was designed.
[01:46:41.220 --> 01:46:42.980]  In fact, this issue is not
[01:46:42.980 --> 01:46:44.840]  unique to HID.
[01:46:45.660 --> 01:46:46.860]  Multiple brands,
[01:46:46.860 --> 01:46:49.140]  many brands, have this problem.
[01:46:49.140 --> 01:46:50.620]  So, what I have here
[01:46:52.740 --> 01:46:53.260]  is...
[01:46:53.260 --> 01:46:54.880]  And I'm not going to do a full demo
[01:46:54.880 --> 01:46:56.220]  on this other one.
[01:46:56.840 --> 01:46:58.500]  I'm just going to move our camera.
[01:47:01.580 --> 01:47:02.420]  So, we have...
[01:47:02.420 --> 01:47:04.840]  Oh, there we go. It's a little jittery.
[01:47:04.840 --> 01:47:06.920]  My apologies. So, we have a
[01:47:06.920 --> 01:47:08.660]  different branded reader. This is just
[01:47:08.660 --> 01:47:10.600]  an example. Again, I want
[01:47:10.600 --> 01:47:12.720]  to be clear. We're not picking on any one
[01:47:12.720 --> 01:47:14.520]  brand. This is just something to be aware of
[01:47:14.520 --> 01:47:16.720]  as far as systems can be designed.
[01:47:16.720 --> 01:47:18.560]  So, right now, this
[01:47:18.560 --> 01:47:20.620]  card reader will read and
[01:47:20.620 --> 01:47:21.840]  beep on both
[01:47:21.840 --> 01:47:23.380]  high frequency
[01:47:24.620 --> 01:47:25.860]  contactless smart cards
[01:47:25.860 --> 01:47:27.920]  and low frequency
[01:47:29.560 --> 01:47:30.300]  cards.
[01:47:30.300 --> 01:47:31.720]  So, it's reading both this
[01:47:31.720 --> 01:47:33.860]  Mindfair card and this Prox
[01:47:33.860 --> 01:47:34.740]  card.
[01:47:35.590 --> 01:47:37.160]  So, there we go.
[01:47:38.860 --> 01:47:39.820]  I can't
[01:47:39.820 --> 01:47:41.460]  fit everything. Hold on.
[01:47:42.620 --> 01:47:44.260]  Yeah, you can do it.
[01:47:44.860 --> 01:47:46.340]  There we go.
[01:47:46.840 --> 01:47:47.780]  So,
[01:47:47.780 --> 01:47:49.860]  again, I can power cycle the reader
[01:47:49.860 --> 01:47:52.440]  and I can
[01:47:52.440 --> 01:47:54.420]  use a different configuration card
[01:47:55.880 --> 01:47:56.500]  to
[01:47:56.500 --> 01:47:58.420]  disable proximity. Now,
[01:47:58.420 --> 01:48:01.040]  when that reader reboots,
[01:48:01.040 --> 01:48:02.460]  it reads Mindfair
[01:48:02.460 --> 01:48:04.480]  as expected, and that's
[01:48:04.480 --> 01:48:06.440]  fine, but it's not going to read
[01:48:06.440 --> 01:48:08.480]  this Prox card.
[01:48:09.420 --> 01:48:10.460]  So, let's say
[01:48:10.620 --> 01:48:12.900]  a customer has that in a secure configuration.
[01:48:12.900 --> 01:48:14.260]  Again, if you're not
[01:48:14.260 --> 01:48:16.940]  monitoring your tamper sensors,
[01:48:16.940 --> 01:48:17.980]  someone can come back
[01:48:18.780 --> 01:48:19.980]  and re-enable
[01:48:19.980 --> 01:48:22.040]  proximity, and now
[01:48:22.040 --> 01:48:24.140]  they're able to use Prox credentials
[01:48:24.140 --> 01:48:25.840]  again. So, monitoring
[01:48:25.840 --> 01:48:27.700]  those tamper sensors on the back of the reader
[01:48:27.700 --> 01:48:29.980]  is very, very important, because
[01:48:29.980 --> 01:48:32.120]  it's the only way to defend against
[01:48:32.120 --> 01:48:34.360]  knowing when these types of manipulations
[01:48:34.360 --> 01:48:35.880]  take place.
[01:48:36.560 --> 01:48:38.080]  Yep, very true.
[01:48:38.080 --> 01:48:39.940]  Alright, our next demo.
[01:48:39.940 --> 01:48:41.940]  So many demos, all the demos. Okay,
[01:48:41.940 --> 01:48:44.360]  we have 15 minutes. Holy crap.
[01:48:44.360 --> 01:48:45.860]  This is going to be interesting.
[01:48:45.860 --> 01:48:47.960]  Alright,
[01:48:47.960 --> 01:48:49.820]  let me grab the
[01:48:49.820 --> 01:48:51.740]  camera again. It's going to be the
[01:48:51.740 --> 01:48:54.600]  best 15 minutes ever. Yep.
[01:48:58.930 --> 01:48:59.350]  In the
[01:48:59.350 --> 01:49:01.170]  RFID hacking.
[01:49:01.290 --> 01:49:02.950]  Alright, so we have
[01:49:02.950 --> 01:49:05.270]  our different readers
[01:49:05.270 --> 01:49:07.330]  already set up.
[01:49:07.870 --> 01:49:08.770]  So we have
[01:49:10.570 --> 01:49:11.290]  our
[01:49:11.290 --> 01:49:13.710]  stand-alone reader mode,
[01:49:13.710 --> 01:49:15.210]  our stand-alone full
[01:49:15.210 --> 01:49:17.490]  simulator mode, our stand-alone
[01:49:17.490 --> 01:49:19.350]  low-class attack mode, and our
[01:49:19.350 --> 01:49:21.190]  stand-alone config card mode.
[01:49:22.470 --> 01:49:23.570]  Iceman, we're not going to
[01:49:23.570 --> 01:49:25.390]  be able to finish all of our demos.
[01:49:25.390 --> 01:49:27.490]  No, yes, take the config card
[01:49:27.490 --> 01:49:29.290]  first. You wanted the config card
[01:49:29.290 --> 01:49:31.190]  one first, okay. Yeah, yeah, yeah.
[01:49:31.190 --> 01:49:33.490]  Okay, so you have...
[01:49:34.530 --> 01:49:35.670]  That's a cool one.
[01:49:35.670 --> 01:49:37.210]  I mean...
[01:49:38.810 --> 01:49:39.590]  The rest is
[01:49:39.590 --> 01:49:41.730]  what we could do with a client before.
[01:49:41.730 --> 01:49:43.550]  Alright, so I'm just going to
[01:49:43.550 --> 01:49:45.130]  explain what's happening.
[01:49:45.130 --> 01:49:47.070]  Put some of these aside.
[01:49:47.490 --> 01:49:49.430]  And we're going to power these readers on.
[01:49:51.720 --> 01:49:52.560]  Alright.
[01:49:52.560 --> 01:49:54.360]  So this is a fun attack.
[01:49:55.240 --> 01:49:56.640]  The reason this is a fun
[01:49:56.640 --> 01:49:57.040]  attack
[01:49:58.240 --> 01:50:00.120]  is because this is a very interesting
[01:50:00.120 --> 01:50:02.840]  model of service attack. So right now,
[01:50:02.840 --> 01:50:03.600]  we have
[01:50:04.340 --> 01:50:06.480]  two I-class readers. These are older
[01:50:07.280 --> 01:50:08.340]  legacy readers.
[01:50:08.340 --> 01:50:10.500]  These are not modern readers.
[01:50:10.500 --> 01:50:12.080]  These are revision C.
[01:50:12.080 --> 01:50:14.600]  So anything produced before 2012.
[01:50:14.600 --> 01:50:16.580]  And it reads standard
[01:50:16.580 --> 01:50:18.620]  I-class cards. So users
[01:50:18.620 --> 01:50:20.020]  can use that normally.
[01:50:20.500 --> 01:50:22.440]  What we're going to do is we're going to do an
[01:50:22.440 --> 01:50:24.500]  attack where we're going to
[01:50:24.500 --> 01:50:25.960]  glitch one reader.
[01:50:26.040 --> 01:50:28.600]  We're going to automatically reboot it
[01:50:28.600 --> 01:50:30.440]  using the glitch. And then use
[01:50:30.440 --> 01:50:32.620]  the configuration card to put
[01:50:32.620 --> 01:50:34.440]  the reader in something called key
[01:50:34.440 --> 01:50:36.500]  rolling mode. Key rolling mode
[01:50:36.500 --> 01:50:38.120]  is supposed to help you transition
[01:50:38.120 --> 01:50:41.280]  from a standard key to a high security key.
[01:50:41.680 --> 01:50:42.600]  And when you do
[01:50:42.600 --> 01:50:44.500]  that, the reader talks to both old
[01:50:44.500 --> 01:50:46.600]  cards, and then if it finds an old
[01:50:46.600 --> 01:50:48.480]  key, it updates it to the new one.
[01:50:49.260 --> 01:50:50.540]  The issue is, if
[01:50:50.540 --> 01:50:52.440]  all the readers aren't in that mode,
[01:50:52.440 --> 01:50:54.540]  then the key on the card gets changed
[01:50:54.540 --> 01:50:56.400]  to one of the second reader that doesn't necessarily
[01:50:56.400 --> 01:50:58.620]  understand. So what I'm going to do
[01:50:59.040 --> 01:51:00.260]  is I'm going to present my
[01:51:00.260 --> 01:51:03.000]  proxmark. It's going to glitch the reader.
[01:51:03.440 --> 01:51:04.620]  Oh, I have to. Hold on.
[01:51:04.620 --> 01:51:06.040]  I have to put it in the standard mode.
[01:51:06.380 --> 01:51:07.420]  There we go.
[01:51:08.240 --> 01:51:10.300]  So I'm going to present this here. It's going to
[01:51:10.300 --> 01:51:12.200]  glitch the reader. The reader is going to
[01:51:12.200 --> 01:51:14.260]  reboot. There's the first reboot. Now
[01:51:14.260 --> 01:51:15.660]  the proxmark is going to emulate
[01:51:16.360 --> 01:51:18.080]  a key roll configuration card.
[01:51:18.140 --> 01:51:20.180]  That's complete. And
[01:51:20.180 --> 01:51:22.080]  here's... let's pretend this is the exterior
[01:51:22.080 --> 01:51:24.740]  door. This is the door on the inside.
[01:51:24.740 --> 01:51:25.980]  So here's the same
[01:51:26.600 --> 01:51:27.640]  card.
[01:51:28.060 --> 01:51:30.060]  It works on the first reader.
[01:51:30.060 --> 01:51:32.000]  And now at this point,
[01:51:32.000 --> 01:51:34.680]  the key in this card has been changed.
[01:51:35.140 --> 01:51:36.200]  And it will not
[01:51:36.200 --> 01:51:38.360]  work on the second reader. It will only
[01:51:38.360 --> 01:51:40.000]  work on that first reader.
[01:51:43.240 --> 01:51:44.680]  It's such a
[01:51:44.680 --> 01:51:47.340]  meme.
[01:51:47.340 --> 01:51:48.480]  Alright.
[01:51:48.480 --> 01:51:50.720]  What's the next stupid thing that we can
[01:51:50.720 --> 01:51:53.120]  move to here?
[01:51:53.120 --> 01:51:54.480]  So yeah, full simulation. We're not
[01:51:54.480 --> 01:51:56.740]  going to go into it right now because we are
[01:51:56.740 --> 01:51:58.700]  so gosh darn short on time.
[01:51:58.700 --> 01:52:00.800]  Low class. Low class.
[01:52:00.800 --> 01:52:02.360]  Yeah, yeah, yeah.
[01:52:03.060 --> 01:52:04.320]  So actually we have an
[01:52:04.320 --> 01:52:04.800]  elite reader.
[01:52:10.810 --> 01:52:12.190]  Actually, I'm realizing
[01:52:12.190 --> 01:52:14.410]  that the camera doesn't like to be far
[01:52:14.410 --> 01:52:16.350]  away from the computer.
[01:52:16.350 --> 01:52:18.250]  So I'm just going to move this all
[01:52:18.250 --> 01:52:20.750]  really, really close.
[01:52:21.070 --> 01:52:22.490]  There we go. Much
[01:52:22.490 --> 01:52:23.930]  better. So
[01:52:24.910 --> 01:52:26.210]  this is an example
[01:52:26.210 --> 01:52:28.330]  of an elite reader.
[01:52:31.210 --> 01:52:31.850]  And
[01:52:31.850 --> 01:52:34.070]  as it stands right now,
[01:52:35.530 --> 01:52:36.170]  it
[01:52:36.170 --> 01:52:37.310]  does not read
[01:52:38.290 --> 01:52:40.310]  standard I-class cards.
[01:52:40.310 --> 01:52:42.290]  So here's an example of a standard I-class
[01:52:42.290 --> 01:52:43.870]  card. It won't read because
[01:52:43.870 --> 01:52:46.150]  it's not using the high security
[01:52:46.150 --> 01:52:48.410]  key. Here's an elite key designed
[01:52:48.410 --> 01:52:49.150]  for that system
[01:52:50.070 --> 01:52:51.490]  that reads.
[01:52:53.290 --> 01:52:54.330]  What we're going to
[01:52:54.330 --> 01:52:56.290]  do is switch
[01:52:56.290 --> 01:52:58.590]  here so we can see the debug data.
[01:53:00.790 --> 01:53:02.390]  And we're going to hold down
[01:53:03.050 --> 01:53:04.150]  our button to enter
[01:53:04.150 --> 01:53:06.350]  standalone mode. And so
[01:53:06.350 --> 01:53:08.370]  right now, all I have to do is just wave
[01:53:08.370 --> 01:53:09.650]  this over the reader.
[01:53:10.370 --> 01:53:12.310]  And that's it. So now it's
[01:53:12.310 --> 01:53:13.970]  saved that
[01:53:13.970 --> 01:53:15.790]  Mac attack file.
[01:53:16.390 --> 01:53:18.510]  And I can grab that.
[01:53:34.650 --> 01:53:36.650]  What did I do wrong?
[01:53:37.590 --> 01:53:39.810]  There sure is.
[01:53:43.170 --> 01:53:45.230]  Alright. And now we just operate
[01:53:45.230 --> 01:53:47.410]  the low class attack normally. So we'll do
[01:53:47.410 --> 01:53:50.430]  HFI class, low class,
[01:53:50.430 --> 01:53:52.110]  and then the file name.
[01:53:54.920 --> 01:53:57.120]  Oh, you're running that version.
[01:53:57.140 --> 01:53:58.860]  I'm running FPGA, yes.
[01:54:02.110 --> 01:54:04.490]  So it's not going to take very long. It's only going to
[01:54:04.490 --> 01:54:06.370]  take us about 30 seconds or so.
[01:54:06.370 --> 01:54:08.130]  And that's going to crack the key.
[01:54:08.130 --> 01:54:10.330]  So now we have the high security key
[01:54:10.330 --> 01:54:11.970]  that was in that reader.
[01:54:12.030 --> 01:54:13.970]  And now if I wanted to,
[01:54:13.970 --> 01:54:16.310]  I could take this elite card
[01:54:16.310 --> 01:54:18.350]  that worked on that
[01:54:18.350 --> 01:54:20.450]  and I can do HFI
[01:54:20.450 --> 01:54:22.030]  class dump.
[01:54:23.330 --> 01:54:24.650]  Specify the elite key
[01:54:24.650 --> 01:54:26.370]  without spaces.
[01:54:29.400 --> 01:54:30.360]  Make sure to tell
[01:54:30.360 --> 01:54:31.380]  it it's elite.
[01:54:32.160 --> 01:54:34.280]  And there is our data for the card.
[01:54:37.420 --> 01:54:38.460]  So,
[01:54:38.460 --> 01:54:40.460]  that's your standalone low class attack.
[01:54:41.160 --> 01:54:41.880]  Yeah.
[01:54:41.880 --> 01:54:44.240]  With a battery, just walk around with it and
[01:54:44.240 --> 01:54:46.260]  collect from different readers.
[01:54:46.380 --> 01:54:48.060]  What can we fit in 10 minutes?
[01:54:48.940 --> 01:54:51.020]  We did an out of service,
[01:54:51.020 --> 01:54:52.160]  we did a check downgrade,
[01:54:52.160 --> 01:54:53.440]  we did key recovery.
[01:54:53.780 --> 01:54:55.940]  Should we show the special door controller
[01:54:55.940 --> 01:54:57.780]  zero day that was sent to us?
[01:54:57.920 --> 01:54:58.620]  Yes!
[01:55:00.180 --> 01:55:01.520]  It's really cool.
[01:55:01.520 --> 01:55:03.360]  So first of all,
[01:55:03.360 --> 01:55:06.220]  I want to make sure the link gets out there.
[01:55:06.680 --> 01:55:07.740]  This repository
[01:55:07.740 --> 01:55:09.940]  contains an
[01:55:10.860 --> 01:55:11.940]  unpatched vulnerability
[01:55:11.940 --> 01:55:14.140]  in a
[01:55:14.140 --> 01:55:15.860]  semi-common, not super common,
[01:55:15.860 --> 01:55:17.760]  semi-common single door
[01:55:17.760 --> 01:55:18.740]  controller.
[01:55:19.580 --> 01:55:21.480]  And I'm going to show you how that works.
[01:55:21.480 --> 01:55:24.000]  So this exploit has been reported to the vendor
[01:55:24.000 --> 01:55:25.880]  that was about nine months ago.
[01:55:25.880 --> 01:55:27.920]  And then the person who discovered the exploit
[01:55:27.920 --> 01:55:29.560]  reached out and said,
[01:55:29.560 --> 01:55:31.660]  hey, I'm kind of done with this.
[01:55:31.660 --> 01:55:33.740]  I want it to be public, but I don't
[01:55:33.740 --> 01:55:35.260]  really feel like doing a talk.
[01:55:35.260 --> 01:55:37.280]  Which is totally fine and reasonable.
[01:55:37.280 --> 01:55:38.620]  So, we got
[01:55:39.700 --> 01:55:41.720]  their demo board, their demo kit
[01:55:42.340 --> 01:55:43.990]  here to show you,
[01:55:43.990 --> 01:55:45.690]  to show everyone how this works.
[01:55:45.930 --> 01:55:48.130]  What's important to mention here is
[01:55:48.130 --> 01:55:50.090]  I'm really big on not picking
[01:55:50.090 --> 01:55:52.050]  on individual vendors because this is
[01:55:52.050 --> 01:55:54.170]  an industry problem. The type
[01:55:54.170 --> 01:55:56.170]  and category of exploit that you're going to see
[01:55:56.170 --> 01:55:57.930]  on this demo is
[01:55:57.930 --> 01:55:59.830]  common, actually. It's not
[01:55:59.830 --> 01:56:01.710]  unique to this situation. I've seen
[01:56:01.710 --> 01:56:04.930]  variations of this, both published and unpublished,
[01:56:04.930 --> 01:56:06.090]  for at
[01:56:06.090 --> 01:56:07.890]  least five or six different
[01:56:07.890 --> 01:56:10.050]  vendors of door controllers,
[01:56:10.050 --> 01:56:11.710]  of software.
[01:56:11.710 --> 01:56:13.250]  And you're just going to see
[01:56:13.250 --> 01:56:15.510]  what can happen when these
[01:56:15.510 --> 01:56:18.670]  systems aren't properly protected and patched.
[01:56:18.750 --> 01:56:19.550]  So,
[01:56:19.550 --> 01:56:21.810]  let's go ahead and
[01:56:21.810 --> 01:56:23.210]  again switch
[01:56:23.870 --> 01:56:26.390]  all this stuff out of the way.
[01:56:31.310 --> 01:56:32.990]  We'll see if the camera
[01:56:32.990 --> 01:56:34.690]  can keep up.
[01:56:34.750 --> 01:56:36.790]  I don't know if it will.
[01:56:42.870 --> 01:56:44.130]  It's really,
[01:56:44.130 --> 01:56:46.950]  really jittery. My apologies to folks.
[01:56:46.950 --> 01:56:50.070]  Well, we've got
[01:56:50.070 --> 01:56:51.850]  less than ten minutes, so
[01:56:52.470 --> 01:56:54.050]  they get jitter and
[01:56:54.050 --> 01:56:55.370]  hoard nothing.
[01:57:14.950 --> 01:57:16.590]  Before we end up,
[01:57:16.590 --> 01:57:19.570]  some questions about the Q&A.
[01:57:19.770 --> 01:57:21.210]  Did you get
[01:57:21.210 --> 01:57:23.290]  something from Wireless Village,
[01:57:23.290 --> 01:57:25.170]  the Ricks of Wasabi,
[01:57:25.170 --> 01:57:27.010]  about where Q&A is
[01:57:27.010 --> 01:57:28.730]  possible to do? Was that in Discord?
[01:57:28.730 --> 01:57:31.110]  No, but we can do it in our Discord.
[01:57:31.110 --> 01:57:31.990]  I don't know.
[01:57:32.010 --> 01:57:33.550]  Yeah, we can do Discord, yeah.
[01:57:37.210 --> 01:57:39.090]  Alright, I will do that soon.
[01:57:39.090 --> 01:57:41.010]  I can let you guys
[01:57:41.010 --> 01:57:42.710]  know if you see that I'm not
[01:57:42.710 --> 01:57:44.290]  paying attention.
[01:57:44.870 --> 01:57:47.030]  Alright, so what we're looking at here
[01:57:47.030 --> 01:57:48.570]  is two Proxcard readers
[01:57:48.570 --> 01:57:50.510]  connected to a single door
[01:57:50.510 --> 01:57:52.210]  controller, and
[01:57:52.210 --> 01:57:55.170]  here's our user Alice.
[01:57:55.410 --> 01:57:56.050]  And Alice
[01:57:56.570 --> 01:57:58.790]  can badge in, and
[01:57:58.790 --> 01:58:00.570]  this green
[01:58:01.230 --> 01:58:02.550]  LED represents
[01:58:02.550 --> 01:58:03.850]  the door strike.
[01:58:05.550 --> 01:58:06.530]  I'm realizing
[01:58:06.530 --> 01:58:08.530]  that people can't see me, but that's okay.
[01:58:08.530 --> 01:58:10.350]  So this green LED here represents
[01:58:10.350 --> 01:58:12.310]  the door strike. So here we go.
[01:58:12.350 --> 01:58:14.590]  That's fine. And in fact,
[01:58:14.590 --> 01:58:16.330]  our log...
[01:58:16.330 --> 01:58:17.490]  This is
[01:58:18.230 --> 01:58:20.110]  so tricky. My apologies.
[01:58:20.350 --> 01:58:21.290]  So our log...
[01:58:22.350 --> 01:58:24.210]  I'm just going to explain what's happening,
[01:58:24.210 --> 01:58:26.210]  because we're tight on time. I realize the camera
[01:58:26.210 --> 01:58:28.210]  won't be able to show the screen, unfortunately.
[01:58:28.210 --> 01:58:30.470]  So my sincere apologies to folks there.
[01:58:30.570 --> 01:58:32.170]  But some mics say
[01:58:32.170 --> 01:58:34.270]  Alice can get in, Alice can get
[01:58:34.270 --> 01:58:36.110]  out. Bob
[01:58:36.110 --> 01:58:37.870]  wasn't doing so great on their
[01:58:37.870 --> 01:58:40.130]  employee performance, so they've been
[01:58:40.130 --> 01:58:42.130]  fired. Their badge no longer
[01:58:42.130 --> 01:58:43.010]  works.
[01:58:45.390 --> 01:58:46.430]  Mallory,
[01:58:47.470 --> 01:58:48.330]  our malicious
[01:58:48.330 --> 01:58:50.190]  attacker, is really
[01:58:50.190 --> 01:58:52.310]  interested in what App Incorporation is working
[01:58:52.310 --> 01:58:54.310]  on, but unfortunately
[01:58:54.310 --> 01:58:56.130]  they can't get in either.
[01:58:56.890 --> 01:58:58.090]  So what we're going to do
[01:58:58.090 --> 01:58:59.510]  is we're going to plug in
[01:58:59.510 --> 01:59:01.670]  this exploit stick.
[01:59:03.710 --> 01:59:04.230]  And
[01:59:04.230 --> 01:59:05.810]  this is actually just a unified
[01:59:05.810 --> 01:59:08.070]  cloud key that's been repurposed.
[01:59:08.070 --> 01:59:09.970]  It's just a little Debian box with a POE
[01:59:09.970 --> 01:59:12.490]  port on it. It's been repurposed to execute
[01:59:13.050 --> 01:59:14.630]  a very fun exploit.
[01:59:14.630 --> 01:59:16.330]  So this is going to do an
[01:59:16.330 --> 01:59:18.330]  ArcCache poisoning attack
[01:59:18.330 --> 01:59:20.810]  automatically when it boots up.
[01:59:20.810 --> 01:59:22.310]  It's going to look for
[01:59:22.310 --> 01:59:24.390]  this type of door controller.
[01:59:24.650 --> 01:59:26.990]  It's going to poison the ArcCache.
[01:59:26.990 --> 01:59:28.810]  It's going to force the door controller
[01:59:28.810 --> 01:59:30.770]  to connect to it.
[01:59:31.370 --> 01:59:32.550]  And then this
[01:59:32.550 --> 01:59:34.570]  will then connect to the
[01:59:34.570 --> 01:59:37.210]  system monitoring software,
[01:59:37.210 --> 01:59:37.850]  which is actually
[01:59:39.230 --> 01:59:40.750]  here in the background.
[01:59:40.750 --> 01:59:42.610]  Unfortunately, I don't have
[01:59:42.710 --> 01:59:44.490]  a great setup to show the data
[01:59:44.490 --> 01:59:45.930]  that's happening on this
[01:59:46.770 --> 01:59:48.070]  laptop here, so
[01:59:48.750 --> 01:59:51.430]  my sincere apologies there as well.
[01:59:52.490 --> 01:59:54.190]  But we're just going to wait another
[01:59:54.190 --> 01:59:56.230]  10 or 15 more seconds.
[01:59:56.250 --> 01:59:58.570]  And what I'm waiting for is a
[01:59:58.570 --> 02:00:01.170]  light here to start flashing.
[02:00:01.170 --> 02:00:02.670]  So during this time,
[02:00:02.670 --> 02:00:04.990]  what will happen in the log
[02:00:06.930 --> 02:00:07.530]  is
[02:00:07.530 --> 02:00:08.430]  in the event log,
[02:00:08.430 --> 02:00:10.950]  I'm going to try. I know I said it's not going to work well,
[02:00:10.950 --> 02:00:12.070]  but we're going to try.
[02:00:12.670 --> 02:00:14.510]  Alright, so in the event log,
[02:00:14.510 --> 02:00:16.550]  we're going to see that the door controller
[02:00:16.550 --> 02:00:18.450]  briefly went offline and then came
[02:00:18.450 --> 02:00:20.730]  back online. And that was
[02:00:20.730 --> 02:00:22.630]  the attack tool running.
[02:00:23.710 --> 02:00:24.510]  Temporarily taking
[02:00:24.510 --> 02:00:25.790]  the door controller offline
[02:00:26.310 --> 02:00:28.310]  and then bringing it back online.
[02:00:28.990 --> 02:00:30.470]  So here we can see the light
[02:00:30.470 --> 02:00:32.250]  flashing. There's only one
[02:00:32.250 --> 02:00:34.370]  flash, which tells us it only found one door
[02:00:34.370 --> 02:00:35.770]  controller to take over.
[02:00:35.770 --> 02:00:37.870]  And everything continues working
[02:00:37.870 --> 02:00:39.830]  normally. So the door controller still
[02:00:39.830 --> 02:00:41.650]  has credentials cached.
[02:00:41.650 --> 02:00:43.470]  Alice can still get in
[02:00:43.470 --> 02:00:44.950]  normally.
[02:00:45.930 --> 02:00:47.810]  Bob is still fired.
[02:00:47.810 --> 02:00:50.070]  Bob, they can't get in.
[02:00:50.070 --> 02:00:51.770]  But something interesting happens
[02:00:51.770 --> 02:00:53.730]  now when Mallory scans
[02:00:53.730 --> 02:00:55.690]  their credential. When Mallory
[02:00:55.690 --> 02:00:57.470]  scans their credential,
[02:00:57.470 --> 02:00:59.770]  that invalid access
[02:00:59.770 --> 02:01:01.450]  attempt is going to go out
[02:01:01.450 --> 02:01:03.750]  over the network to this exploit
[02:01:03.750 --> 02:01:05.770]  device. It's going to see that
[02:01:05.770 --> 02:01:07.850]  it's Mallory's card, and it's going to
[02:01:07.850 --> 02:01:09.570]  manually tell
[02:01:09.570 --> 02:01:11.710]  that door controller to unlock
[02:01:11.710 --> 02:01:14.350]  the door for several seconds.
[02:01:14.390 --> 02:01:15.710]  In the meantime,
[02:01:15.710 --> 02:01:17.350]  it is not going to forward
[02:01:17.350 --> 02:01:19.270]  Mallory's attempt to get in
[02:01:19.270 --> 02:01:21.930]  to the system software, to the server.
[02:01:21.930 --> 02:01:23.850]  So there will be no log entry of any
[02:01:23.850 --> 02:01:25.790]  kind for any of Mallory's
[02:01:25.790 --> 02:01:27.730]  attempts. So here is Mallory's
[02:01:27.730 --> 02:01:28.530]  card.
[02:01:29.710 --> 02:01:31.750]  And they have access down
[02:01:31.750 --> 02:01:33.170]  here to the door strike.
[02:01:34.210 --> 02:01:35.350]  And, of course, they can get out
[02:01:35.350 --> 02:01:36.750]  as well.
[02:01:39.650 --> 02:01:41.410]  And, again,
[02:01:41.410 --> 02:01:42.630]  remember, Alice's credential
[02:01:42.950 --> 02:01:44.250]  still works.
[02:01:44.970 --> 02:01:47.030]  And what we'll notice is that
[02:01:47.030 --> 02:01:48.810]  the only log
[02:01:49.730 --> 02:01:51.090]  information that we see
[02:01:51.090 --> 02:01:53.250]  here is related to the real
[02:01:53.250 --> 02:01:54.710]  system credentials,
[02:01:54.710 --> 02:01:57.030]  that the exploit tool is not filtering
[02:01:57.030 --> 02:01:59.050]  out. It's just
[02:01:59.050 --> 02:02:00.910]  the Alice and Bob credentials.
[02:02:00.910 --> 02:02:02.890]  So it is actively
[02:02:02.890 --> 02:02:04.590]  filtering everything related
[02:02:04.590 --> 02:02:06.370]  to Mallory.
[02:02:07.170 --> 02:02:09.130]  And you might be curious,
[02:02:09.130 --> 02:02:11.770]  well, what happens when you unplug this?
[02:02:11.770 --> 02:02:12.990]  After a few minutes,
[02:02:12.990 --> 02:02:14.770]  the door controller reconnects back to
[02:02:14.770 --> 02:02:16.990]  the original server, and everything
[02:02:16.990 --> 02:02:19.130]  continues working as
[02:02:19.130 --> 02:02:20.830]  expected. So this is
[02:02:20.830 --> 02:02:22.470]  this specific exploit
[02:02:22.470 --> 02:02:24.590]  is in that GitHub link
[02:02:24.590 --> 02:02:27.390]  that we mentioned here.
[02:02:27.710 --> 02:02:28.910]  If you're interested in it...
[02:02:29.790 --> 02:02:30.690]  We got
[02:02:31.710 --> 02:02:32.910]  lenient, so we
[02:02:32.910 --> 02:02:34.830]  have... it's not a hard
[02:02:34.830 --> 02:02:37.010]  stop, so we can make
[02:02:37.190 --> 02:02:38.370]  a nice exit.
[02:02:38.470 --> 02:02:40.170]  Good enough.
[02:02:41.410 --> 02:02:42.970]  So, if you want to read
[02:02:42.970 --> 02:02:44.770]  more about it, the code is published
[02:02:44.770 --> 02:02:47.390]  here in this GitHub repository.
[02:02:48.470 --> 02:02:48.890]  It's
[02:02:48.890 --> 02:02:50.870]  something that I really want to
[02:02:50.870 --> 02:02:53.010]  stress. This category
[02:02:53.010 --> 02:02:55.030]  of exploit is not unique to this vendor.
[02:02:55.030 --> 02:02:56.830]  It's something that we've seen time and time
[02:02:56.830 --> 02:02:58.910]  again over the years, but it's such
[02:02:59.110 --> 02:03:00.390]  a great, beautiful example
[02:03:00.390 --> 02:03:02.890]  of what happens when we
[02:03:02.890 --> 02:03:04.770]  treat network-enabled
[02:03:04.770 --> 02:03:07.130]  devices as if they're not network-enabled
[02:03:07.130 --> 02:03:08.250]  devices.
[02:03:08.970 --> 02:03:10.930]  So, definitely, if you are
[02:03:10.930 --> 02:03:12.830]  in this section
[02:03:12.830 --> 02:03:14.970]  here, I'm going to talk about mitigations.
[02:03:14.970 --> 02:03:16.790]  So, we'll just... yeah, there we go.
[02:03:16.790 --> 02:03:19.570]  So, overall defenses and mitigations.
[02:03:19.710 --> 02:03:21.030]  I see I didn't add here
[02:03:21.030 --> 02:03:23.150]  my biggest mitigation for door controllers,
[02:03:23.150 --> 02:03:24.670]  which is assume
[02:03:24.670 --> 02:03:26.590]  that your door controller is
[02:03:26.590 --> 02:03:28.810]  super insecure, and that if anyone
[02:03:28.810 --> 02:03:30.510]  is able to talk to it, they're able to
[02:03:30.510 --> 02:03:32.630]  compromise it. That may not actually be the
[02:03:32.630 --> 02:03:34.490]  case, but if you assume that
[02:03:34.490 --> 02:03:36.510]  when you're designing the system, whether
[02:03:36.510 --> 02:03:38.710]  you're a customer or you're an integrator,
[02:03:38.710 --> 02:03:40.270]  that will minimize
[02:03:40.270 --> 02:03:42.630]  the risk related to these types
[02:03:42.630 --> 02:03:44.530]  of exploits, these types of attacks.
[02:03:44.630 --> 02:03:46.290]  If you want to prevent
[02:03:46.290 --> 02:03:48.310]  credential interception by
[02:03:48.310 --> 02:03:51.110]  things like the ESP key or the BLE key,
[02:03:51.110 --> 02:03:52.430]  what you want to use is
[02:03:52.430 --> 02:03:54.650]  OSDP version 2 with secure channel
[02:03:54.650 --> 02:03:56.230]  to encrypt the communications
[02:03:56.230 --> 02:03:59.070]  between the reader and the door controller.
[02:03:59.290 --> 02:04:00.570]  If you want to resist
[02:04:00.570 --> 02:04:02.330]  cloning, you want to use secure
[02:04:02.330 --> 02:04:04.730]  credential with secure objects.
[02:04:04.730 --> 02:04:06.610]  We don't have time to get into it,
[02:04:06.610 --> 02:04:08.910]  but short description,
[02:04:08.910 --> 02:04:10.510]  secure objects are basically
[02:04:10.510 --> 02:04:12.750]  ways of cryptographically encrypting
[02:04:12.750 --> 02:04:14.510]  and signing that PACS
[02:04:14.510 --> 02:04:16.610]  payload and tying it to the serial
[02:04:16.610 --> 02:04:18.490]  number of that card, which makes it
[02:04:18.490 --> 02:04:20.590]  harder to duplicate or compromise
[02:04:20.590 --> 02:04:22.910]  later. If you
[02:04:22.910 --> 02:04:24.670]  want to resist tech downgrade
[02:04:24.670 --> 02:04:26.710]  attacks, if you want to just know if people
[02:04:26.710 --> 02:04:28.830]  are messing with your readers, those tamper
[02:04:28.830 --> 02:04:31.350]  switches are super important to monitor.
[02:04:31.630 --> 02:04:32.730]  There are a couple of different
[02:04:32.730 --> 02:04:34.590]  solutions that you can employ to actually
[02:04:34.590 --> 02:04:36.930]  stop attacks cold when they happen.
[02:04:36.930 --> 02:04:39.350]  If you have good tamper switches,
[02:04:39.350 --> 02:04:41.950]  and not all of them are,
[02:04:41.950 --> 02:04:42.370]  some
[02:04:42.370 --> 02:04:44.250]  access control software packages
[02:04:44.250 --> 02:04:46.690]  will allow you to configure an action
[02:04:46.690 --> 02:04:48.790]  that takes place where if a reader is
[02:04:48.790 --> 02:04:50.930]  tampered, then that door gets shut off
[02:04:50.930 --> 02:04:52.770]  until someone goes out and inspects
[02:04:52.770 --> 02:04:54.450]  the reader. There is also
[02:04:54.450 --> 02:04:56.010]  an additional product
[02:04:59.000 --> 02:05:00.140]  that was released
[02:05:00.140 --> 02:05:01.540]  sometime last year
[02:05:02.160 --> 02:05:04.020]  called the spider
[02:05:04.020 --> 02:05:06.300]  blocker. Super weird name,
[02:05:06.300 --> 02:05:08.320]  but interesting tool
[02:05:08.320 --> 02:05:09.720]  all the same.
[02:05:10.120 --> 02:05:12.040]  I don't recommend this for most people,
[02:05:12.040 --> 02:05:14.040]  if I'm being frank. So the spider blocker
[02:05:14.040 --> 02:05:16.100]  is an add-on board. You need one
[02:05:16.100 --> 02:05:17.980]  per reader, and it lives
[02:05:17.980 --> 02:05:19.960]  next to your door controller, and
[02:05:19.960 --> 02:05:21.520]  it is a man in the middle
[02:05:21.520 --> 02:05:23.860]  between the reader and the door controller
[02:05:23.860 --> 02:05:26.520]  that monitors the tamper line.
[02:05:26.520 --> 02:05:28.100]  And if tamper is detected,
[02:05:28.100 --> 02:05:29.780]  it physically disconnects the reader
[02:05:29.780 --> 02:05:31.980]  from the system. And then someone has
[02:05:31.980 --> 02:05:34.060]  to walk back into the wiring
[02:05:34.060 --> 02:05:36.040]  closet and press this red
[02:05:36.040 --> 02:05:38.540]  reset button. It's an interesting thought,
[02:05:38.540 --> 02:05:40.000]  and for some applications, it
[02:05:40.000 --> 02:05:41.980]  might be useful, but it is
[02:05:41.980 --> 02:05:44.520]  probably not really great for wide scale deployment.
[02:05:44.520 --> 02:05:46.040]  If you're really worried about people
[02:05:46.040 --> 02:05:47.840]  messing with your readers, the biggest
[02:05:47.840 --> 02:05:50.180]  things that you can do are having a
[02:05:50.180 --> 02:05:52.240]  good tamper monitoring solution,
[02:05:52.480 --> 02:05:54.000]  having a good plan of action
[02:05:54.000 --> 02:05:56.200]  for what happens if a tamper gets
[02:05:56.200 --> 02:05:57.980]  triggered, and depending
[02:05:57.980 --> 02:06:00.000]  on the vendor, if you are able
[02:06:00.000 --> 02:06:02.040]  to use custom keys,
[02:06:02.040 --> 02:06:04.160]  custom encryption keys for your
[02:06:04.160 --> 02:06:06.200]  credentials and readers, in many
[02:06:06.200 --> 02:06:08.440]  cases, that can offer an additional
[02:06:08.440 --> 02:06:10.440]  layer of protection.
[02:06:10.440 --> 02:06:12.260]  Specifically, with
[02:06:12.260 --> 02:06:13.740]  multiple vendors, if you are
[02:06:13.740 --> 02:06:15.700]  using custom keys,
[02:06:15.700 --> 02:06:17.920]  HID calls them elite, other vendors
[02:06:17.920 --> 02:06:19.940]  might call them different terminology.
[02:06:19.940 --> 02:06:22.160]  If you are using custom keys,
[02:06:22.160 --> 02:06:23.680]  then those configuration
[02:06:23.680 --> 02:06:25.720]  cards that we talked about also
[02:06:25.720 --> 02:06:27.800]  have to have those custom keys loaded,
[02:06:27.800 --> 02:06:29.640]  which is much harder
[02:06:29.640 --> 02:06:31.500]  to do, because there is a special
[02:06:31.500 --> 02:06:33.760]  restricted ordering process for
[02:06:33.760 --> 02:06:35.340]  ordering readers and credentials
[02:06:35.340 --> 02:06:37.740]  with custom keying data.
[02:06:38.200 --> 02:06:39.420]  So the only reason
[02:06:39.420 --> 02:06:41.520]  that this worked is because
[02:06:41.520 --> 02:06:43.240]  our reader was using a standard
[02:06:43.240 --> 02:06:45.820]  global key, and we were using a
[02:06:45.820 --> 02:06:47.940]  standard global configuration card
[02:06:47.940 --> 02:06:49.800]  that was available to all
[02:06:49.800 --> 02:06:52.940]  integrators and all customers.
[02:06:52.940 --> 02:06:53.700]  So, yeah, there are
[02:06:53.700 --> 02:06:56.840]  a couple of things to do there as well.
[02:06:56.840 --> 02:06:57.700]  Now, I don't know if
[02:06:57.700 --> 02:06:59.860]  we have any time left. Iceman,
[02:06:59.860 --> 02:07:01.560]  how much flexibility did they give us
[02:07:01.560 --> 02:07:03.660]  for Q&A?
[02:07:04.380 --> 02:07:06.000]  They made a very small one.
[02:07:06.000 --> 02:07:07.880]  Very small.
[02:07:07.880 --> 02:07:09.120]  I said that we are going to have a Q&A
[02:07:09.120 --> 02:07:12.400]  over at Wireless Village RFID channel.
[02:07:12.400 --> 02:07:13.020]  And how do people
[02:07:13.020 --> 02:07:14.880]  get there if they want to do that?
[02:07:15.000 --> 02:07:17.000]  I sent you a link, so I thought
[02:07:17.000 --> 02:07:18.340]  you could post it there.
[02:07:18.340 --> 02:07:20.920]  I posted on Twitter and I posted
[02:07:20.920 --> 02:07:21.780]  on Discord.
[02:07:22.840 --> 02:07:25.200]  Sure, sure. Give me a second. Let me grab that.
[02:07:25.300 --> 02:07:27.120]  Feel free to follow both me and Babak
[02:07:27.120 --> 02:07:29.120]  on Twitter, and shout
[02:07:29.120 --> 02:07:31.040]  out to YouTubes and all that
[02:07:31.040 --> 02:07:31.800]  stuff.
[02:07:33.220 --> 02:07:35.180]  So, give me one moment
[02:07:35.180 --> 02:07:37.000]  here, and I
[02:07:37.000 --> 02:07:38.980]  will add this link
[02:07:38.980 --> 02:07:40.680]  so everyone has it.
[02:07:41.200 --> 02:07:41.640]  Yeah.
[02:07:44.180 --> 02:07:45.140]  We have a text
[02:07:45.140 --> 02:07:47.020]  channel there. If you want to have a video channel,
[02:07:47.020 --> 02:07:49.420]  we can make it as well also later on.
[02:07:49.820 --> 02:07:51.060]  But the Wireless
[02:07:51.060 --> 02:07:53.040]  Village people, we are going to make a little talk
[02:07:53.040 --> 02:07:54.840]  now as well, so we don't want to.
[02:07:54.840 --> 02:07:56.240]  Of course, absolutely.
[02:07:56.960 --> 02:07:58.300]  Wade's talk is soon also.
[02:07:58.600 --> 02:08:01.120]  This link here, this Discord channel,
[02:08:01.120 --> 02:08:03.120]  we will be doing a little bit of Q&A for a few
[02:08:03.120 --> 02:08:03.840]  minutes.
[02:08:03.840 --> 02:08:06.360]  And if you have any questions,
[02:08:06.360 --> 02:08:08.240]  reach out, email us.
[02:08:08.660 --> 02:08:09.940]  We are happy to
[02:08:09.940 --> 02:08:11.860]  point you in the right direction. If you are a pen
[02:08:11.860 --> 02:08:13.780]  tester and you are interested in
[02:08:13.780 --> 02:08:15.760]  training, this is the point
[02:08:15.760 --> 02:08:17.760]  where I just plug for 10 seconds.
[02:08:17.760 --> 02:08:19.460]  Go to redteamalliance.com.
[02:08:19.460 --> 02:08:21.720]  Iceman and I have a new 5-day hands-on
[02:08:21.720 --> 02:08:23.700]  training where we are going to work hands-on with
[02:08:23.700 --> 02:08:25.580]  everything from door controllers to weaponized
[02:08:25.580 --> 02:08:27.520]  readers to some more advanced
[02:08:27.520 --> 02:08:29.780]  techniques for manipulating credentials.
[02:08:29.780 --> 02:08:31.560]  That's going to be coming out in
[02:08:31.560 --> 02:08:33.640]  end of September. So we have dates announced
[02:08:33.640 --> 02:08:35.920]  for it. And it is a hands-on
[02:08:35.920 --> 02:08:37.820]  course. So every student will receive
[02:08:37.820 --> 02:08:39.720]  hardware like the reader that you
[02:08:39.720 --> 02:08:41.740]  saw here. And test
[02:08:41.740 --> 02:08:43.800]  credentials and tools to
[02:08:43.800 --> 02:08:45.720]  weaponize things. So
[02:08:45.720 --> 02:08:47.760]  if you are curious about that, you can ask us about
[02:08:47.760 --> 02:08:49.800]  that as well. So that's it.
[02:08:49.800 --> 02:08:51.700]  Thank you everyone so much for being so
[02:08:51.700 --> 02:08:53.760]  patient with our first DEF CON
[02:08:53.760 --> 02:08:55.540]  livestream attempt.
[02:08:55.700 --> 02:08:57.660]  And for the back and forth that we
[02:08:57.660 --> 02:08:59.800]  had with the slides, all things considered, it went
[02:08:59.800 --> 02:09:01.660]  better than I expected somehow.
[02:09:02.360 --> 02:09:03.880]  So, thank you again.
[02:09:03.880 --> 02:09:05.320]  Hope you guys enjoyed it.
[02:09:05.760 --> 02:09:07.800]  Yes, yes one shipping. Thank you so
[02:09:07.800 --> 02:09:09.860]  much. It's been a delight. Pleasure
[02:09:09.860 --> 02:09:11.580]  as always to talk with you, Babak, and
[02:09:11.580 --> 02:09:13.740]  meet all you guys. And I'm looking forward
[02:09:13.740 --> 02:09:15.640]  to have you over at the Q&A and
[02:09:15.640 --> 02:09:17.440]  have some chats with you there.
[02:09:17.960 --> 02:09:18.720]  Stay cool.
